diff --git a/.chainsaw-config.yaml b/.chainsaw-config.yaml new file mode 100644 index 00000000..9eb74c1a --- /dev/null +++ b/.chainsaw-config.yaml @@ -0,0 +1,17 @@ +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: Configuration +metadata: + creationTimestamp: null + name: configuration +spec: + parallel: 1 + timeouts: + apply: 1m30s + assert: 1m30s + cleanup: 2m30s + delete: 1m30s + error: 1m30s + exec: 1m30s + fullName: true + forceTerminationGracePeriod: 5s + delayBeforeCleanup: 3s diff --git a/.github/workflows/chainsaw-e2e.yaml b/.github/workflows/chainsaw-e2e.yaml new file mode 100644 index 00000000..6beefb51 --- /dev/null +++ b/.github/workflows/chainsaw-e2e.yaml @@ -0,0 +1,46 @@ +name: ChainSaw Test +on: + push: + branches: + - 'release-chart-1.10' + + pull_request: + branches: + - 'release-chart-1.10' + +concurrency: + group: ${{ github.workflow }}-${{ github.ref }} + cancel-in-progress: true + +jobs: + run-e2etest: + runs-on: ubuntu-latest + + strategy: + fail-fast: false + matrix: + k8s-version: [v1.29.2, v1.28.7, v1.27.11, v1.26.14, v1.25.16, v1.24.12, v1.23.17] + # For n4k-versions 1.10 + n4k-chart-version: [3.0.18] + + steps: + - name: Checkout + uses: actions/checkout@v3 + + - name: Prepare environment + run: K8S_VERSION=${{ matrix.k8s-version }} make kind-create-cluster + + - name: Install kyverno + run: N4K_VERSION=${{ matrix.n4k-chart-version }} make kind-deploy-kyverno + + - name: Check Kyverno status + run: make wait-for-kyverno + + - name: Install Chainsaw + uses: kyverno/action-install-chainsaw@v0.1.4 + + - name: Verify Chainsaw Installation + run: chainsaw version + + - name: Test with Chainsaw + run: make test-chainsaw diff --git a/.github/workflows/e2e.yaml b/.github/workflows/e2e.yaml deleted file mode 100644 index 12d442ee..00000000 --- a/.github/workflows/e2e.yaml +++ /dev/null @@ -1,32 +0,0 @@ -name: Kuttl Test - -on: - push: - branches: - - 'kyverno-1.10' - # this action needs to read GH secret - # hence prevents executing on PRs from forks - # disabling running on PRs until we find a workaround for this - pull_request: - branches: - - 'kyverno-1.10' - -concurrency: - group: ${{ github.workflow }}-${{ github.ref }} - cancel-in-progress: true - -jobs: - run-e2etest: - runs-on: ubuntu-latest - steps: - - name: Checkout - uses: actions/checkout@v3 - - name: Prepare environment - run: make kind-create-cluster - - name: Install kyverno - run: | - N4K_LICENSE_KEY=${{ secrets.N4K_CI_LICENSE }} make kind-deploy-kyverno - - name: Check Kyverno status - run: make wait-for-kyverno - - name: Test with kuttl - run: make test-kuttl diff --git a/Makefile b/Makefile index fd70dd56..2dea7295 100644 --- a/Makefile +++ b/Makefile @@ -1,18 +1,16 @@ .DEFAULT_GOAL: build-all K8S_VERSION ?= $(shell kubectl version --short | grep -i server | cut -d" " -f3 | cut -c2-) -KIND_IMAGE ?= kindest/node:v1.27.1 +KIND_IMAGE ?= kindest/node:$(K8S_VERSION) KIND_NAME ?= kind USE_CONFIG ?= standard TOOLS_DIR := $(PWD)/.tools KIND := $(TOOLS_DIR)/kind -KIND_VERSION := v0.19.0 +KIND_VERSION := v0.22.0 HELM := $(TOOLS_DIR)/helm HELM_VERSION := v3.10.1 -KUTTL := $(TOOLS_DIR)/kubectl-kuttl -KUTTL_VERSION := v0.0.0-20230108220859-ef8d83c89156 -TOOLS := $(KIND) $(HELM) $(KUTTL) +TOOLS := $(KIND) $(HELM) $(KIND): @echo Install kind... >&2 @@ -22,10 +20,6 @@ $(HELM): @echo Install helm... >&2 @GOBIN=$(TOOLS_DIR) go install helm.sh/helm/v3/cmd/helm@$(HELM_VERSION) -$(KUTTL): - @echo Install kuttl... >&2 - @GOBIN=$(TOOLS_DIR) go install github.com/kyverno/kuttl/cmd/kubectl-kuttl@$(KUTTL_VERSION) - .PHONY: install-tools install-tools: $(TOOLS) @@ -34,20 +28,20 @@ clean-tools: @echo Clean tools... >&2 @rm -rf $(TOOLS_DIR) -############### -# KUTTL TESTS # -############### +################## +# CHAINSAW TESTS # +################## -.PHONY: test-kuttl -test-kuttl: $(KUTTL) ## Run kuttl tests - @echo Running kuttl tests... >&2 - @$(KUTTL) test --config kuttl-test.yaml +.PHONY: test-chainsaw +test-chainsaw: + @echo Running chainsaw tests... >&2 + @chainsaw test --config .chainsaw-config.yaml ## Create kind cluster .PHONY: kind-create-cluster kind-create-cluster: $(KIND) @echo Create kind cluster... >&2 - @$(KIND) create cluster --name $(KIND_NAME) + @$(KIND) create cluster --name $(KIND_NAME) --image $(KIND_IMAGE) ## Delete kind cluster .PHONY: kind-delete-cluster @@ -59,21 +53,15 @@ kind-delete-cluster: $(KIND) .PHONY: kind-deploy-kyverno kind-deploy-kyverno: $(HELM) @echo Install kyverno chart... >&2 - @echo $(N4K_LICENSE_KEY) >&2 - - ### Adding temporary installation command for the kyverno n4k 1.10 - ## git clone -b release-chart-1.10 https://github.com/nirmata/kyverno-charts.git - ## @$(HELM) install kyverno ./kyverno-charts/charts/nirmata -n kyverno --create-namespace --set licenseManager.licenseKey=+7BT76LNHCKLi3vW2mbYP5vYuS+Rm4XaLPu7k6Vgq4/efR3BEJk6Ru+zOFJagN2l0oLyG15qZ2kkXpzqaeEAal6APDLB7s3htLFeJ6mf0hc7/3dupUY13zrdX5svkS5p6BNKVisuXwK5XfF8sJyLn16I/CRdICj9fzktWQWYB5h46xOj5NlMPMj0/m6tCa3hIVJpB9Onkd4KMXlO+PQUbUwk/wxuciQkGwjbXQs+V9w0MuWMODpY0jGN1dgLNETI7mpS6G5DVvHkbAtrJ+gvG15aFFtKjgPInoemqxbhj2wzYue5pNSdHUZYE9b+LLlj - @$(HELM) repo add nirmata https://nirmata.github.io/kyverno-charts - @$(HELM) repo update nirmata - @$(HELM) install kyverno --namespace kyverno --create-namespace nirmata/kyverno --set licenseManager.licenseKey=+7BT76LNHCKLi3vW2mbYP5vYuS+Rm4XaLPu7k6Vgq4/efR3BEJk6Ru+zOFJagN2l0oLyG15qZ2kkXpzqaeEAal6APDLB7s3htLFeJ6mf0hc7/3dupUY13zrdX5svkS5p6BNKVisuXwK5XfF8sJyLn16I/CRdICj9fzktWQWYB5h46xOj5NlMPMj0/m6tCa3hIVJpB9Onkd4KMXlO+PQUbUwk/wxuciQkGwjbXQs+V9w0MuWMODpY0jGN1dgLNETI7mpS6G5DVvHkbAtrJ+gvG15aFFtKjgPInoemqxbhj2wzYue5pNSdHUZYE9b+LLlj --devel + @$(HELM) repo update + @$(HELM) install kyverno nirmata/kyverno -n kyverno --create-namespace --version=$(N4K_VERSION) ## Check Kyverno status .PHONY: wait-for-kyverno wait-for-kyverno: @echo Check kyverno status to be ready... >&2 - @kubectl wait --namespace kyverno --for=condition=ready pod --all --timeout=120s + @kubectl wait --namespace kyverno --for=condition=ready pod --all --timeout=180s ##################### # Kyverno CLI TESTS # diff --git a/best-practices/disallow-empty-ingress-host/e2e/01-policy.yaml b/best-practices/disallow-empty-ingress-host/e2e/01-policy.yaml deleted file mode 100644 index 09a6287b..00000000 --- a/best-practices/disallow-empty-ingress-host/e2e/01-policy.yaml +++ /dev/null @@ -1,6 +0,0 @@ -apiVersion: kuttl.dev/v1beta1 -kind: TestStep -apply: -- ../disallow_empty_ingress_host.yaml -assert: -- policy-assert.yaml diff --git a/best-practices/disallow-empty-ingress-host/e2e/02-enforce.yaml b/best-practices/disallow-empty-ingress-host/e2e/02-enforce.yaml deleted file mode 100644 index 38bafd8b..00000000 --- a/best-practices/disallow-empty-ingress-host/e2e/02-enforce.yaml +++ /dev/null @@ -1,5 +0,0 @@ -apiVersion: kuttl.dev/v1beta1 -kind: TestStep -commands: -- script: | - sed 's/validationFailureAction: audit/validationFailureAction: Enforce/' ../disallow_empty_ingress_host.yaml | kubectl apply -f - diff --git a/best-practices/disallow-empty-ingress-host/e2e/04-manifests.yaml b/best-practices/disallow-empty-ingress-host/e2e/04-manifests.yaml deleted file mode 100644 index baaf463d..00000000 --- a/best-practices/disallow-empty-ingress-host/e2e/04-manifests.yaml +++ /dev/null @@ -1,11 +0,0 @@ -apiVersion: kuttl.dev/v1beta1 -kind: TestStep -apply: -- file: good-ingress.yaml - shouldFail: false -- file: no-host-ingress.yaml - shouldFail: true -- file: no-host-fail-first.yaml - shouldFail: true -- file: no-host-success-first.yaml - shouldFail: true diff --git a/best-practices/disallow-empty-ingress-host/e2e/99-delete.yaml b/best-practices/disallow-empty-ingress-host/e2e/99-delete.yaml deleted file mode 100644 index a23ec656..00000000 --- a/best-practices/disallow-empty-ingress-host/e2e/99-delete.yaml +++ /dev/null @@ -1,6 +0,0 @@ -apiVersion: kuttl.dev/v1beta1 -kind: TestStep -delete: -- apiVersion: kyverno.io/v1 - kind: ClusterPolicy - name: disallow-empty-ingress-host diff --git a/best-practices/disallow-empty-ingress-host/e2e/good-ingress.yaml b/best-practices/disallow-empty-ingress-host/e2e/good-ingress.yaml deleted file mode 100644 index 2be70167..00000000 --- a/best-practices/disallow-empty-ingress-host/e2e/good-ingress.yaml +++ /dev/null @@ -1,26 +0,0 @@ -apiVersion: networking.k8s.io/v1 -kind: Ingress -metadata: - name: ingress-wildcard-host -spec: - rules: - - host: "foo.bar.com" - http: - paths: - - pathType: Prefix - path: "/bar" - backend: - service: - name: service1 - port: - number: 80 - - host: "*.foo.com" - http: - paths: - - pathType: Prefix - path: "/foo" - backend: - service: - name: service2 - port: - number: 80 diff --git a/best-practices/disallow-empty-ingress-host/e2e/no-host-fail-first.yaml b/best-practices/disallow-empty-ingress-host/e2e/no-host-fail-first.yaml deleted file mode 100644 index b069cd2d..00000000 --- a/best-practices/disallow-empty-ingress-host/e2e/no-host-fail-first.yaml +++ /dev/null @@ -1,25 +0,0 @@ -apiVersion: networking.k8s.io/v1 -kind: Ingress -metadata: - name: ingress-host -spec: - rules: - - http: - paths: - - pathType: Prefix - path: "/bar" - backend: - service: - name: service1 - port: - number: 80 - - host: "bar.foo.com" - http: - paths: - - pathType: Prefix - path: "/foo" - backend: - service: - name: service2 - port: - number: 80 diff --git a/best-practices/disallow-empty-ingress-host/e2e/no-host-ingress.yaml b/best-practices/disallow-empty-ingress-host/e2e/no-host-ingress.yaml deleted file mode 100644 index 76640b94..00000000 --- a/best-practices/disallow-empty-ingress-host/e2e/no-host-ingress.yaml +++ /dev/null @@ -1,17 +0,0 @@ -apiVersion: networking.k8s.io/v1 -kind: Ingress -metadata: - name: minimal-ingress - annotations: - nginx.ingress.kubernetes.io/rewrite-target: / -spec: - rules: - - http: - paths: - - path: /testpath - pathType: Prefix - backend: - service: - name: test - port: - number: 80 diff --git a/best-practices/disallow-empty-ingress-host/e2e/no-host-success-first.yaml b/best-practices/disallow-empty-ingress-host/e2e/no-host-success-first.yaml deleted file mode 100644 index d2de72ab..00000000 --- a/best-practices/disallow-empty-ingress-host/e2e/no-host-success-first.yaml +++ /dev/null @@ -1,25 +0,0 @@ -apiVersion: networking.k8s.io/v1 -kind: Ingress -metadata: - name: ingress-host -spec: - rules: - - host: "bar.foo.com" - http: - paths: - - pathType: Prefix - path: "/bar" - backend: - service: - name: service1 - port: - number: 80 - - http: - paths: - - pathType: Prefix - path: "/foo" - backend: - service: - name: service2 - port: - number: 80 diff --git a/best-practices/disallow_cri_sock_mount/e2e/01-policy.yaml b/best-practices/disallow_cri_sock_mount/e2e/01-policy.yaml deleted file mode 100644 index e25d199f..00000000 --- a/best-practices/disallow_cri_sock_mount/e2e/01-policy.yaml +++ /dev/null @@ -1,6 +0,0 @@ -apiVersion: kuttl.dev/v1beta1 -kind: TestStep -apply: -- ../disallow_cri_sock_mount.yaml -assert: -- policy-assert.yaml diff --git a/best-practices/disallow_cri_sock_mount/e2e/02-enforce.yaml b/best-practices/disallow_cri_sock_mount/e2e/02-enforce.yaml deleted file mode 100644 index a1e3e324..00000000 --- a/best-practices/disallow_cri_sock_mount/e2e/02-enforce.yaml +++ /dev/null @@ -1,5 +0,0 @@ -apiVersion: kuttl.dev/v1beta1 -kind: TestStep -commands: -- script: | - sed 's/validationFailureAction: audit/validationFailureAction: Enforce/' ../disallow_cri_sock_mount.yaml | kubectl apply -f - diff --git a/best-practices/disallow_cri_sock_mount/e2e/04-manifests.yaml b/best-practices/disallow_cri_sock_mount/e2e/04-manifests.yaml deleted file mode 100644 index 323f86bd..00000000 --- a/best-practices/disallow_cri_sock_mount/e2e/04-manifests.yaml +++ /dev/null @@ -1,15 +0,0 @@ -apiVersion: kuttl.dev/v1beta1 -kind: TestStep -apply: -- file: good-pod.yaml - shouldFail: false -- file: pod-containerd-sock.yaml - shouldFail: true -- file: pod-docker-sock.yaml - shouldFail: true -- file: pod-crio-sock.yaml - shouldFail: true -- file: pod-emptydir-vol.yaml - shouldFail: false -- file: pod-no-volumes.yaml - shouldFail: false diff --git a/best-practices/disallow_cri_sock_mount/e2e/99-delete.yaml b/best-practices/disallow_cri_sock_mount/e2e/99-delete.yaml deleted file mode 100644 index c25cfce8..00000000 --- a/best-practices/disallow_cri_sock_mount/e2e/99-delete.yaml +++ /dev/null @@ -1,6 +0,0 @@ -apiVersion: kuttl.dev/v1beta1 -kind: TestStep -delete: -- apiVersion: kyverno.io/v1 - kind: ClusterPolicy - name: disallow-container-sock-mounts diff --git a/best-practices/disallow_cri_sock_mount/e2e/good-pod.yaml b/best-practices/disallow_cri_sock_mount/e2e/good-pod.yaml deleted file mode 100644 index 18e33eb1..00000000 --- a/best-practices/disallow_cri_sock_mount/e2e/good-pod.yaml +++ /dev/null @@ -1,15 +0,0 @@ -apiVersion: v1 -kind: Pod -metadata: - name: goodpod01 -spec: - containers: - - name: myshell - image: "ubuntu:18.04" - command: - - /bin/sleep - - "300" - volumes: - - name: data - hostPath: - path: /data diff --git a/best-practices/disallow_cri_sock_mount/e2e/pod-containerd-sock.yaml b/best-practices/disallow_cri_sock_mount/e2e/pod-containerd-sock.yaml deleted file mode 100644 index 1baddfe7..00000000 --- a/best-practices/disallow_cri_sock_mount/e2e/pod-containerd-sock.yaml +++ /dev/null @@ -1,15 +0,0 @@ -apiVersion: v1 -kind: Pod -metadata: - name: pod-with-containerd-sock-mount -spec: - containers: - - name: myshell - image: "ubuntu:18.04" - command: - - /bin/sleep - - "300" - volumes: - - name: dockersock - hostPath: - path: /var/run/containerd.sock diff --git a/best-practices/disallow_cri_sock_mount/e2e/pod-crio-sock.yaml b/best-practices/disallow_cri_sock_mount/e2e/pod-crio-sock.yaml deleted file mode 100644 index b25d5268..00000000 --- a/best-practices/disallow_cri_sock_mount/e2e/pod-crio-sock.yaml +++ /dev/null @@ -1,15 +0,0 @@ -apiVersion: v1 -kind: Pod -metadata: - name: pod-with-crio-sock-mount -spec: - containers: - - name: myshell - image: "ubuntu:18.04" - command: - - /bin/sleep - - "300" - volumes: - - name: dockersock - hostPath: - path: /var/run/crio.sock diff --git a/best-practices/disallow_cri_sock_mount/e2e/pod-docker-sock.yaml b/best-practices/disallow_cri_sock_mount/e2e/pod-docker-sock.yaml deleted file mode 100644 index 5f45189e..00000000 --- a/best-practices/disallow_cri_sock_mount/e2e/pod-docker-sock.yaml +++ /dev/null @@ -1,15 +0,0 @@ -apiVersion: v1 -kind: Pod -metadata: - name: pod-with-docker-sock-mount -spec: - containers: - - name: myshell - image: "ubuntu:18.04" - command: - - /bin/sleep - - "300" - volumes: - - name: dockersock - hostPath: - path: /var/run/docker.sock diff --git a/best-practices/disallow_cri_sock_mount/e2e/pod-emptydir-vol.yaml b/best-practices/disallow_cri_sock_mount/e2e/pod-emptydir-vol.yaml deleted file mode 100644 index b63c6acb..00000000 --- a/best-practices/disallow_cri_sock_mount/e2e/pod-emptydir-vol.yaml +++ /dev/null @@ -1,14 +0,0 @@ -apiVersion: v1 -kind: Pod -metadata: - name: pod-with-emptydir-volume -spec: - containers: - - name: busybox - image: busybox:1.35 - command: - - sleep - - "3600" - volumes: - - name: mydir - emptyDir: {} diff --git a/best-practices/disallow_cri_sock_mount/e2e/pod-no-volumes.yaml b/best-practices/disallow_cri_sock_mount/e2e/pod-no-volumes.yaml deleted file mode 100644 index 4cdbe80c..00000000 --- a/best-practices/disallow_cri_sock_mount/e2e/pod-no-volumes.yaml +++ /dev/null @@ -1,12 +0,0 @@ -apiVersion: v1 -kind: Pod -metadata: - name: pod-with-no-volumes -spec: - automountServiceAccountToken: false - containers: - - name: busybox - image: busybox:1.35 - command: - - sleep - - "3600" diff --git a/best-practices/disallow_default_namespace/e2e/01-policy.yaml b/best-practices/disallow_default_namespace/e2e/01-policy.yaml deleted file mode 100644 index ff4b0362..00000000 --- a/best-practices/disallow_default_namespace/e2e/01-policy.yaml +++ /dev/null @@ -1,6 +0,0 @@ -apiVersion: kuttl.dev/v1beta1 -kind: TestStep -apply: -- ../disallow_default_namespace.yaml -assert: -- policy-assert.yaml diff --git a/best-practices/disallow_default_namespace/e2e/02-enforce.yaml b/best-practices/disallow_default_namespace/e2e/02-enforce.yaml deleted file mode 100644 index 04401b72..00000000 --- a/best-practices/disallow_default_namespace/e2e/02-enforce.yaml +++ /dev/null @@ -1,5 +0,0 @@ -apiVersion: kuttl.dev/v1beta1 -kind: TestStep -commands: -- script: | - sed 's/validationFailureAction: audit/validationFailureAction: Enforce/' ../disallow_default_namespace.yaml | kubectl apply -f - diff --git a/best-practices/disallow_default_namespace/e2e/05-manifests.yaml b/best-practices/disallow_default_namespace/e2e/05-manifests.yaml deleted file mode 100644 index 25df973d..00000000 --- a/best-practices/disallow_default_namespace/e2e/05-manifests.yaml +++ /dev/null @@ -1,15 +0,0 @@ -apiVersion: kuttl.dev/v1beta1 -kind: TestStep -apply: -- file: good-resources.yaml - shouldFail: false -- file: pod-default.yaml - shouldFail: true -- file: ds-default.yaml - shouldFail: true -- file: job-default.yaml - shouldFail: true -- file: ss-default.yaml - shouldFail: true -- file: deploy-default.yaml - shouldFail: true diff --git a/best-practices/disallow_default_namespace/e2e/99-delete.yaml b/best-practices/disallow_default_namespace/e2e/99-delete.yaml deleted file mode 100644 index deedb869..00000000 --- a/best-practices/disallow_default_namespace/e2e/99-delete.yaml +++ /dev/null @@ -1,6 +0,0 @@ -apiVersion: kuttl.dev/v1beta1 -kind: TestStep -delete: -- apiVersion: kyverno.io/v1 - kind: ClusterPolicy - name: disallow-default-namespace diff --git a/best-practices/disallow_default_namespace/e2e/deploy-default.yaml b/best-practices/disallow_default_namespace/e2e/deploy-default.yaml deleted file mode 100644 index 6b10f5c2..00000000 --- a/best-practices/disallow_default_namespace/e2e/deploy-default.yaml +++ /dev/null @@ -1,23 +0,0 @@ -apiVersion: apps/v1 -kind: Deployment -metadata: - labels: - app: busybox - name: bad-busybox - namespace: default -spec: - replicas: 1 - selector: - matchLabels: - app: busybox - template: - metadata: - labels: - app: busybox - spec: - containers: - - image: busybox:v1.35 - name: busybox - command: - - "sleep" - - "3000" diff --git a/best-practices/disallow_default_namespace/e2e/ds-default.yaml b/best-practices/disallow_default_namespace/e2e/ds-default.yaml deleted file mode 100644 index 4bd03337..00000000 --- a/best-practices/disallow_default_namespace/e2e/ds-default.yaml +++ /dev/null @@ -1,20 +0,0 @@ -apiVersion: apps/v1 -kind: DaemonSet -metadata: - name: bad-daemonset - namespace: default -spec: - selector: - matchLabels: - name: good-daemonset - template: - metadata: - labels: - name: good-daemonset - spec: - containers: - - image: busybox:v1.35 - name: busybox - command: - - "sleep" - - "3000" diff --git a/best-practices/disallow_default_namespace/e2e/good-resources.yaml b/best-practices/disallow_default_namespace/e2e/good-resources.yaml deleted file mode 100644 index cc79974f..00000000 --- a/best-practices/disallow_default_namespace/e2e/good-resources.yaml +++ /dev/null @@ -1,97 +0,0 @@ -apiVersion: v1 -kind: Pod -metadata: - name: goodpod01 - namespace: not-default-ns -spec: - containers: - - name: busybox - image: "busybox:v1.35" - command: - - "sleep" - - "3000" ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - labels: - app: busybox - name: busybox - namespace: not-default-ns -spec: - replicas: 1 - selector: - matchLabels: - app: busybox - template: - metadata: - labels: - app: busybox - spec: - containers: - - image: busybox:v1.35 - name: busybox - command: - - "sleep" - - "3000" ---- -apiVersion: apps/v1 -kind: DaemonSet -metadata: - name: good-daemonset - namespace: not-default-ns -spec: - selector: - matchLabels: - name: good-daemonset - template: - metadata: - labels: - name: good-daemonset - spec: - containers: - - image: busybox:v1.35 - name: busybox - command: - - "sleep" - - "3000" ---- -apiVersion: batch/v1 -kind: Job -metadata: - name: good-job - namespace: not-default-ns -spec: - template: - spec: - containers: - - image: busybox:v1.35 - name: busybox - command: - - "sleep" - - "3000" - restartPolicy: Never ---- -apiVersion: apps/v1 -kind: StatefulSet -metadata: - name: good-statefulset - namespace: not-default-ns -spec: - selector: - matchLabels: - app: busybox - serviceName: "busyservice" - replicas: 1 - minReadySeconds: 10 - template: - metadata: - labels: - app: busybox - spec: - containers: - - image: busybox:v1.35 - name: busybox - command: - - "sleep" - - "3000" diff --git a/best-practices/disallow_default_namespace/e2e/job-default.yaml b/best-practices/disallow_default_namespace/e2e/job-default.yaml deleted file mode 100644 index 31283b5a..00000000 --- a/best-practices/disallow_default_namespace/e2e/job-default.yaml +++ /dev/null @@ -1,15 +0,0 @@ -apiVersion: batch/v1 -kind: Job -metadata: - name: bad-job - namespace: default -spec: - template: - spec: - containers: - - image: busybox:v1.35 - name: busybox - command: - - "sleep" - - "3000" - restartPolicy: Never diff --git a/best-practices/disallow_default_namespace/e2e/pod-default.yaml b/best-practices/disallow_default_namespace/e2e/pod-default.yaml deleted file mode 100644 index 0046ecb1..00000000 --- a/best-practices/disallow_default_namespace/e2e/pod-default.yaml +++ /dev/null @@ -1,12 +0,0 @@ -apiVersion: v1 -kind: Pod -metadata: - name: badpod01 - namespace: default -spec: - containers: - - name: busybox - image: "busybox:v1.35" - command: - - "sleep" - - "3000" diff --git a/best-practices/disallow_default_namespace/e2e/ss-default.yaml b/best-practices/disallow_default_namespace/e2e/ss-default.yaml deleted file mode 100644 index 9c9601f3..00000000 --- a/best-practices/disallow_default_namespace/e2e/ss-default.yaml +++ /dev/null @@ -1,23 +0,0 @@ -apiVersion: apps/v1 -kind: StatefulSet -metadata: - name: good-statefulset - namespace: default -spec: - selector: - matchLabels: - app: busybox - serviceName: "busyservice" - replicas: 1 - minReadySeconds: 10 - template: - metadata: - labels: - app: busybox - spec: - containers: - - image: busybox:v1.35 - name: busybox - command: - - "sleep" - - "3000" diff --git a/best-practices/disallow_latest_tag/e2e/01-policy.yaml b/best-practices/disallow_latest_tag/e2e/01-policy.yaml deleted file mode 100644 index 438b96f1..00000000 --- a/best-practices/disallow_latest_tag/e2e/01-policy.yaml +++ /dev/null @@ -1,6 +0,0 @@ -apiVersion: kuttl.dev/v1beta1 -kind: TestStep -apply: -- ../disallow_latest_tag.yaml -assert: -- policy-assert.yaml diff --git a/best-practices/disallow_latest_tag/e2e/02-enforce.yaml b/best-practices/disallow_latest_tag/e2e/02-enforce.yaml deleted file mode 100644 index 15c83f00..00000000 --- a/best-practices/disallow_latest_tag/e2e/02-enforce.yaml +++ /dev/null @@ -1,5 +0,0 @@ -apiVersion: kuttl.dev/v1beta1 -kind: TestStep -commands: -- script: | - sed 's/validationFailureAction: audit/validationFailureAction: Enforce/' ../disallow_latest_tag.yaml | kubectl apply -f - diff --git a/best-practices/disallow_latest_tag/e2e/04-manifests.yaml b/best-practices/disallow_latest_tag/e2e/04-manifests.yaml deleted file mode 100644 index 08db99a2..00000000 --- a/best-practices/disallow_latest_tag/e2e/04-manifests.yaml +++ /dev/null @@ -1,11 +0,0 @@ -apiVersion: kuttl.dev/v1beta1 -kind: TestStep -apply: -- file: good-pod.yaml - shouldFail: false -- file: bad-pod-latest-fail-first.yaml - shouldFail: true -- file: bad-pod-latest-success-first.yaml - shouldFail: true -- file: bad-pod-no-tag.yaml - shouldFail: true diff --git a/best-practices/disallow_latest_tag/e2e/99-delete.yaml b/best-practices/disallow_latest_tag/e2e/99-delete.yaml deleted file mode 100644 index a4aa5b4c..00000000 --- a/best-practices/disallow_latest_tag/e2e/99-delete.yaml +++ /dev/null @@ -1,6 +0,0 @@ -apiVersion: kuttl.dev/v1beta1 -kind: TestStep -delete: -- apiVersion: kyverno.io/v1 - kind: ClusterPolicy - name: disallow-latest-tag diff --git a/best-practices/disallow_latest_tag/e2e/bad-pod-latest-fail-first.yaml b/best-practices/disallow_latest_tag/e2e/bad-pod-latest-fail-first.yaml deleted file mode 100644 index 8747e486..00000000 --- a/best-practices/disallow_latest_tag/e2e/bad-pod-latest-fail-first.yaml +++ /dev/null @@ -1,10 +0,0 @@ -apiVersion: v1 -kind: Pod -metadata: - name: badpod-latest -spec: - containers: - - name: busybox - image: busybox:latest - - name: nginx - image: nginx:1.35 diff --git a/best-practices/disallow_latest_tag/e2e/bad-pod-latest-success-first.yaml b/best-practices/disallow_latest_tag/e2e/bad-pod-latest-success-first.yaml deleted file mode 100644 index 34ca06eb..00000000 --- a/best-practices/disallow_latest_tag/e2e/bad-pod-latest-success-first.yaml +++ /dev/null @@ -1,10 +0,0 @@ -apiVersion: v1 -kind: Pod -metadata: - name: badpod-latest -spec: - containers: - - name: nginx - image: nginx:1.35 - - name: busybox - image: busybox:latest diff --git a/best-practices/disallow_latest_tag/e2e/bad-pod-no-tag.yaml b/best-practices/disallow_latest_tag/e2e/bad-pod-no-tag.yaml deleted file mode 100644 index 4b925e67..00000000 --- a/best-practices/disallow_latest_tag/e2e/bad-pod-no-tag.yaml +++ /dev/null @@ -1,32 +0,0 @@ -apiVersion: v1 -kind: Pod -metadata: - name: badpod-no-tag -spec: - containers: - - name: busybox - image: busybox - - name: nginx - image: nginx:1.35 ---- -apiVersion: v1 -kind: Pod -metadata: - name: badpod-no-tag -spec: - containers: - - name: nginx - image: nginx:1.35 - - name: busybox - image: busybox ---- -apiVersion: v1 -kind: Pod -metadata: - name: badpod-no-tag -spec: - containers: - - name: busybox - image: busybox - - name: nginx - image: nginx:latest diff --git a/best-practices/disallow_latest_tag/e2e/good-pod.yaml b/best-practices/disallow_latest_tag/e2e/good-pod.yaml deleted file mode 100644 index 142b4d84..00000000 --- a/best-practices/disallow_latest_tag/e2e/good-pod.yaml +++ /dev/null @@ -1,8 +0,0 @@ -apiVersion: v1 -kind: Pod -metadata: - name: goodpod-ht -spec: - containers: - - name: busybox - image: busybox:v1.35 diff --git a/best-practices/require_drop_all/e2e/01-policy.yaml b/best-practices/require_drop_all/e2e/01-policy.yaml deleted file mode 100644 index d6c06215..00000000 --- a/best-practices/require_drop_all/e2e/01-policy.yaml +++ /dev/null @@ -1,6 +0,0 @@ -apiVersion: kuttl.dev/v1beta1 -kind: TestStep -apply: -- ../require_drop_all.yaml -assert: -- policy-assert.yaml diff --git a/best-practices/require_drop_all/e2e/02-enforce.yaml b/best-practices/require_drop_all/e2e/02-enforce.yaml deleted file mode 100644 index 4893266a..00000000 --- a/best-practices/require_drop_all/e2e/02-enforce.yaml +++ /dev/null @@ -1,5 +0,0 @@ -apiVersion: kuttl.dev/v1beta1 -kind: TestStep -commands: -- script: | - sed 's/validationFailureAction: audit/validationFailureAction: Enforce/' ../require_drop_all.yaml | kubectl apply -f - diff --git a/best-practices/require_drop_all/e2e/04-manifests.yaml b/best-practices/require_drop_all/e2e/04-manifests.yaml deleted file mode 100644 index 4e786966..00000000 --- a/best-practices/require_drop_all/e2e/04-manifests.yaml +++ /dev/null @@ -1,15 +0,0 @@ -apiVersion: kuttl.dev/v1beta1 -kind: TestStep -apply: -- file: good-pod.yaml - shouldFail: false -- file: good-podcontrollers.yaml - shouldFail: false -- file: bad-pod-containers.yaml - shouldFail: true -- file: bad-pod-initcontainers.yaml - shouldFail: true -- file: bad-pod-corner.yaml - shouldFail: true -- file: bad-podcontrollers.yaml - shouldFail: true diff --git a/best-practices/require_drop_all/e2e/99-delete.yaml b/best-practices/require_drop_all/e2e/99-delete.yaml deleted file mode 100644 index 9bd68940..00000000 --- a/best-practices/require_drop_all/e2e/99-delete.yaml +++ /dev/null @@ -1,6 +0,0 @@ -apiVersion: kuttl.dev/v1beta1 -kind: TestStep -delete: -- apiVersion: kyverno.io/v1 - kind: ClusterPolicy - name: drop-all-capabilities diff --git a/best-practices/require_drop_all/e2e/bad-pod-containers.yaml b/best-practices/require_drop_all/e2e/bad-pod-containers.yaml deleted file mode 100644 index 8843ab22..00000000 --- a/best-practices/require_drop_all/e2e/bad-pod-containers.yaml +++ /dev/null @@ -1,61 +0,0 @@ -apiVersion: v1 -kind: Pod -metadata: - name: add-capabilities-bad -spec: - initContainers: - - name: init - image: busybox:1.35 - securityContext: - capabilities: - add: ["SYS_TIME"] - drop: - - ALL - - name: init2 - image: busybox:1.35 - securityContext: - capabilities: - add: ["SYS_TIME"] - drop: - - ALL - containers: - - name: add-capabilities - image: busybox:1.35 - securityContext: - capabilities: - add: ["SYS_TIME"] - drop: - - ALL - - name: add-capabilities-again - image: busybox:1.35 ---- -apiVersion: v1 -kind: Pod -metadata: - name: add-capabilities-bad -spec: - initContainers: - - name: init - image: busybox:1.35 - securityContext: - capabilities: - add: ["SYS_TIME"] - drop: - - ALL - - name: init2 - image: busybox:1.35 - securityContext: - capabilities: - add: ["SYS_TIME"] - drop: - - ALL - containers: - - name: add-capabilities-again - image: busybox:1.35 - - name: add-capabilities - image: busybox:1.35 - securityContext: - capabilities: - add: ["SYS_TIME"] - drop: - - ALL diff --git a/best-practices/require_drop_all/e2e/bad-pod-corner.yaml b/best-practices/require_drop_all/e2e/bad-pod-corner.yaml deleted file mode 100644 index 370608f8..00000000 --- a/best-practices/require_drop_all/e2e/bad-pod-corner.yaml +++ /dev/null @@ -1,54 +0,0 @@ -apiVersion: v1 -kind: Pod -metadata: - name: add-capabilities-bad -spec: - containers: - - name: add-capabilities - image: busybox:1.35 - securityContext: - capabilities: - add: ["SYS_TIME"] - drop: - - ALL - - name: add-capabilities - image: busybox:1.35 - securityContext: - capabilities: - add: ["SYS_TIME"] - drop: - - ["CAP_NET_RAW"] ---- -apiVersion: v1 -kind: Pod -metadata: - name: add-capabilities-bad -spec: - containers: - - name: add-capabilities - image: busybox:1.35 - securityContext: - capabilities: - add: ["SYS_TIME"] - - name: add-capabilities - image: busybox:1.35 - securityContext: - capabilities: - add: ["SYS_TIME"] - drop: - - ALL ---- -apiVersion: v1 -kind: Pod -metadata: - name: add-capabilities-good -spec: - containers: - - name: init - image: busybox:1.35 - securityContext: - capabilities: - drop: - - ALL - - name: init-again - image: busybox:1.35 diff --git a/best-practices/require_drop_all/e2e/bad-pod-initcontainers.yaml b/best-practices/require_drop_all/e2e/bad-pod-initcontainers.yaml deleted file mode 100644 index c6a0e3ec..00000000 --- a/best-practices/require_drop_all/e2e/bad-pod-initcontainers.yaml +++ /dev/null @@ -1,47 +0,0 @@ -apiVersion: v1 -kind: Pod -metadata: - name: add-capabilities-bad -spec: - initContainers: - - name: init - image: busybox:1.35 - securityContext: - capabilities: - add: ["SYS_TIME"] - drop: - - ALL - - name: init2 - image: busybox:1.35 - containers: - - name: add-capabilities - image: busybox:1.35 - securityContext: - capabilities: - add: ["SYS_TIME"] - drop: - - ALL ---- -apiVersion: v1 -kind: Pod -metadata: - name: add-capabilities-bad -spec: - initContainers: - - name: init - image: busybox:1.35 - - name: init2 - image: busybox:1.35 - securityContext: - capabilities: - add: ["SYS_TIME"] - drop: - - ALL - containers: - - name: add-capabilities - image: busybox:1.35 - securityContext: - capabilities: - add: ["SYS_TIME"] - drop: - - ALL diff --git a/best-practices/require_drop_all/e2e/bad-podcontrollers.yaml b/best-practices/require_drop_all/e2e/bad-podcontrollers.yaml deleted file mode 100644 index d5e93a82..00000000 --- a/best-practices/require_drop_all/e2e/bad-podcontrollers.yaml +++ /dev/null @@ -1,153 +0,0 @@ -apiVersion: apps/v1 -kind: Deployment -metadata: - name: dropall-baddeployment01 -spec: - replicas: 1 - selector: - matchLabels: - app: app - template: - metadata: - labels: - app: app - spec: - initContainers: - - name: init - image: busybox:1.35 - securityContext: - capabilities: - add: ["SYS_TIME"] - drop: - - ALL - - name: init2 - image: busybox:1.35 - securityContext: - capabilities: - add: ["SYS_TIME"] - drop: - - ALL - containers: - - name: add-capabilities - image: busybox:1.35 - securityContext: - capabilities: - add: ["SYS_TIME"] - drop: - - ALL - - name: add-capabilities-again - image: busybox:1.35 ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - name: dropall-baddeployment02 -spec: - replicas: 1 - selector: - matchLabels: - app: app - template: - metadata: - labels: - app: app - spec: - initContainers: - - name: init - image: busybox:1.35 - securityContext: - capabilities: - add: ["SYS_TIME"] - drop: - - ALL - - name: init2 - image: busybox:1.35 - containers: - - name: add-capabilities - image: busybox:1.35 - securityContext: - capabilities: - add: ["SYS_TIME"] - drop: - - ALL - - name: add-capabilities-again - image: busybox:1.35 - securityContext: - capabilities: - add: ["SYS_TIME"] - drop: - - ALL ---- -apiVersion: batch/v1 -kind: CronJob -metadata: - name: dropall-badcronjob01 -spec: - schedule: "*/1 * * * *" - jobTemplate: - spec: - template: - spec: - restartPolicy: OnFailure - initContainers: - - name: init - image: busybox:1.35 - securityContext: - capabilities: - add: ["SYS_TIME"] - drop: - - ALL - - name: init2 - image: busybox:1.35 - containers: - - name: add-capabilities - image: busybox:1.35 - securityContext: - capabilities: - add: ["SYS_TIME"] - drop: - - ALL - - name: add-capabilities-again - image: busybox:1.35 - securityContext: - capabilities: - add: ["SYS_TIME"] - drop: - - ALL ---- -apiVersion: batch/v1 -kind: CronJob -metadata: - name: dropall-badcronjob02 -spec: - schedule: "*/1 * * * *" - jobTemplate: - spec: - template: - spec: - restartPolicy: OnFailure - initContainers: - - name: init - image: busybox:1.35 - securityContext: - capabilities: - add: ["SYS_TIME"] - drop: - - ALL - - name: init2 - image: busybox:1.35 - securityContext: - capabilities: - add: ["SYS_TIME"] - drop: - - ALL - containers: - - name: add-capabilities - image: busybox:1.35 - securityContext: - capabilities: - add: ["SYS_TIME"] - drop: - - ALL - - name: add-capabilities-again - image: busybox:1.35 diff --git a/best-practices/require_drop_all/e2e/good-pod.yaml b/best-practices/require_drop_all/e2e/good-pod.yaml deleted file mode 100644 index 36672e51..00000000 --- a/best-practices/require_drop_all/e2e/good-pod.yaml +++ /dev/null @@ -1,27 +0,0 @@ -apiVersion: v1 -kind: Pod -metadata: - name: add-capabilities-good -spec: - initContainers: - - name: init - image: busybox:1.35 - securityContext: - capabilities: - drop: - - ALL - containers: - - name: add-capabilities - image: busybox:1.35 - securityContext: - capabilities: - add: ["SYS_TIME"] - drop: - - ALL - - name: add-capabilities-again - image: busybox:1.35 - securityContext: - capabilities: - add: ["SYS_TIME"] - drop: - - ALL diff --git a/best-practices/require_drop_all/e2e/good-podcontrollers.yaml b/best-practices/require_drop_all/e2e/good-podcontrollers.yaml deleted file mode 100644 index ba02364a..00000000 --- a/best-practices/require_drop_all/e2e/good-podcontrollers.yaml +++ /dev/null @@ -1,86 +0,0 @@ -apiVersion: apps/v1 -kind: Deployment -metadata: - name: dropall-gooddeployment01 -spec: - replicas: 1 - selector: - matchLabels: - app: app - template: - metadata: - labels: - app: app - spec: - initContainers: - - name: init - image: busybox:1.35 - securityContext: - capabilities: - add: ["SYS_TIME"] - drop: - - ALL - - name: init2 - image: busybox:1.35 - securityContext: - capabilities: - add: ["SYS_TIME"] - drop: - - ALL - containers: - - name: add-capabilities - image: busybox:1.35 - securityContext: - capabilities: - add: ["SYS_TIME"] - drop: - - ALL - - name: add-capabilities-again - image: busybox:1.35 - securityContext: - capabilities: - add: ["SYS_TIME"] - drop: - - ALL ---- -apiVersion: batch/v1 -kind: CronJob -metadata: - name: dropall-goodcronjob01 -spec: - schedule: "*/1 * * * *" - jobTemplate: - spec: - template: - spec: - restartPolicy: OnFailure - initContainers: - - name: init - image: busybox:1.35 - securityContext: - capabilities: - add: ["SYS_TIME"] - drop: - - ALL - - name: init2 - image: busybox:1.35 - securityContext: - capabilities: - add: ["SYS_TIME"] - drop: - - ALL - containers: - - name: add-capabilities - image: busybox:1.35 - securityContext: - capabilities: - add: ["SYS_TIME"] - drop: - - ALL - - name: add-capabilities-again - image: busybox:1.35 - securityContext: - capabilities: - add: ["SYS_TIME"] - drop: - - ALL diff --git a/best-practices/require_drop_cap_net_raw/e2e/01-policy.yaml b/best-practices/require_drop_cap_net_raw/e2e/01-policy.yaml deleted file mode 100644 index ffe7eda0..00000000 --- a/best-practices/require_drop_cap_net_raw/e2e/01-policy.yaml +++ /dev/null @@ -1,6 +0,0 @@ -apiVersion: kuttl.dev/v1beta1 -kind: TestStep -apply: -- ../require_drop_cap_net_raw.yaml -assert: -- policy-assert.yaml diff --git a/best-practices/require_drop_cap_net_raw/e2e/02-enforce.yaml b/best-practices/require_drop_cap_net_raw/e2e/02-enforce.yaml deleted file mode 100644 index 88bfa5d5..00000000 --- a/best-practices/require_drop_cap_net_raw/e2e/02-enforce.yaml +++ /dev/null @@ -1,5 +0,0 @@ -apiVersion: kuttl.dev/v1beta1 -kind: TestStep -commands: -- script: | - sed 's/validationFailureAction: audit/validationFailureAction: Enforce/' ../require_drop_cap_net_raw.yaml | kubectl apply -f - diff --git a/best-practices/require_drop_cap_net_raw/e2e/04-manifests.yaml b/best-practices/require_drop_cap_net_raw/e2e/04-manifests.yaml deleted file mode 100644 index 4e786966..00000000 --- a/best-practices/require_drop_cap_net_raw/e2e/04-manifests.yaml +++ /dev/null @@ -1,15 +0,0 @@ -apiVersion: kuttl.dev/v1beta1 -kind: TestStep -apply: -- file: good-pod.yaml - shouldFail: false -- file: good-podcontrollers.yaml - shouldFail: false -- file: bad-pod-containers.yaml - shouldFail: true -- file: bad-pod-initcontainers.yaml - shouldFail: true -- file: bad-pod-corner.yaml - shouldFail: true -- file: bad-podcontrollers.yaml - shouldFail: true diff --git a/best-practices/require_drop_cap_net_raw/e2e/99-delete.yaml b/best-practices/require_drop_cap_net_raw/e2e/99-delete.yaml deleted file mode 100644 index 65e3f7b5..00000000 --- a/best-practices/require_drop_cap_net_raw/e2e/99-delete.yaml +++ /dev/null @@ -1,6 +0,0 @@ -apiVersion: kuttl.dev/v1beta1 -kind: TestStep -delete: -- apiVersion: kyverno.io/v1 - kind: ClusterPolicy - name: drop-cap-net-raw diff --git a/best-practices/require_drop_cap_net_raw/e2e/bad-pod-containers.yaml b/best-practices/require_drop_cap_net_raw/e2e/bad-pod-containers.yaml deleted file mode 100644 index 98055082..00000000 --- a/best-practices/require_drop_cap_net_raw/e2e/bad-pod-containers.yaml +++ /dev/null @@ -1,61 +0,0 @@ -apiVersion: v1 -kind: Pod -metadata: - name: drop-capnetraw-bad01 -spec: - initContainers: - - name: init - image: busybox:1.35 - securityContext: - capabilities: - add: ["SYS_TIME"] - drop: - - CAP_NET_RAW - - name: init2 - image: busybox:1.35 - securityContext: - capabilities: - add: ["SYS_TIME"] - drop: - - CAP_NET_RAW - containers: - - name: add-capabilities - image: busybox:1.35 - securityContext: - capabilities: - add: ["SYS_TIME"] - drop: - - CAP_NET_RAW - - name: add-capabilities-again - image: busybox:1.35 ---- -apiVersion: v1 -kind: Pod -metadata: - name: drop-capnetraw-bad02 -spec: - initContainers: - - name: init - image: busybox:1.35 - securityContext: - capabilities: - add: ["SYS_TIME"] - drop: - - CAP_NET_RAW - - name: init2 - image: busybox:1.35 - securityContext: - capabilities: - add: ["SYS_TIME"] - drop: - - CAP_NET_RAW - containers: - - name: add-capabilities-again - image: busybox:1.35 - - name: add-capabilities - image: busybox:1.35 - securityContext: - capabilities: - add: ["SYS_TIME"] - drop: - - CAP_NET_RAW diff --git a/best-practices/require_drop_cap_net_raw/e2e/bad-pod-corner.yaml b/best-practices/require_drop_cap_net_raw/e2e/bad-pod-corner.yaml deleted file mode 100644 index 9834e636..00000000 --- a/best-practices/require_drop_cap_net_raw/e2e/bad-pod-corner.yaml +++ /dev/null @@ -1,51 +0,0 @@ -apiVersion: v1 -kind: Pod -metadata: - name: add-capabilities-bad -spec: - containers: - - name: add-capabilities - image: busybox:1.35 - securityContext: - capabilities: - drop: - - CAP_NET_RAW - - name: add-capabilities - image: busybox:1.35 - securityContext: - capabilities: - drop: - - CAP_NET_RAW ---- -apiVersion: v1 -kind: Pod -metadata: - name: add-capabilities-bad -spec: - containers: - - name: add-capabilities - image: busybox:1.35 - securityContext: - capabilities: - add: ["SYS_TIME"] - - name: add-capabilities - image: busybox:1.35 - securityContext: - capabilities: - drop: - - CAP_NET_RAW ---- -apiVersion: v1 -kind: Pod -metadata: - name: add-capabilities-good -spec: - containers: - - name: init - image: busybox:1.35 - securityContext: - capabilities: - drop: - - CAP_NET_RAW - - name: init-again - image: busybox:1.35 diff --git a/best-practices/require_drop_cap_net_raw/e2e/bad-pod-initcontainers.yaml b/best-practices/require_drop_cap_net_raw/e2e/bad-pod-initcontainers.yaml deleted file mode 100644 index dba8a40b..00000000 --- a/best-practices/require_drop_cap_net_raw/e2e/bad-pod-initcontainers.yaml +++ /dev/null @@ -1,47 +0,0 @@ -apiVersion: v1 -kind: Pod -metadata: - name: add-capabilities-bad -spec: - initContainers: - - name: init - image: busybox:1.35 - securityContext: - capabilities: - add: ["SYS_TIME"] - drop: - - CAP_NET_RAW - - name: init2 - image: busybox:1.35 - containers: - - name: add-capabilities - image: busybox:1.35 - securityContext: - capabilities: - add: ["SYS_TIME"] - drop: - - CAP_NET_RAW ---- -apiVersion: v1 -kind: Pod -metadata: - name: add-capabilities-bad -spec: - initContainers: - - name: init - image: busybox:1.35 - - name: init2 - image: busybox:1.35 - securityContext: - capabilities: - add: ["SYS_TIME"] - drop: - - CAP_NET_RAW - containers: - - name: add-capabilities - image: busybox:1.35 - securityContext: - capabilities: - add: ["SYS_TIME"] - drop: - - CAP_NET_RAW diff --git a/best-practices/require_drop_cap_net_raw/e2e/bad-podcontrollers.yaml b/best-practices/require_drop_cap_net_raw/e2e/bad-podcontrollers.yaml deleted file mode 100644 index 7bf7d963..00000000 --- a/best-practices/require_drop_cap_net_raw/e2e/bad-podcontrollers.yaml +++ /dev/null @@ -1,153 +0,0 @@ -apiVersion: apps/v1 -kind: Deployment -metadata: - name: dropall-baddeployment01 -spec: - replicas: 1 - selector: - matchLabels: - app: app - template: - metadata: - labels: - app: app - spec: - initContainers: - - name: init - image: busybox:1.35 - securityContext: - capabilities: - add: ["SYS_TIME"] - drop: - - CAP_NET_RAW - - name: init2 - image: busybox:1.35 - securityContext: - capabilities: - add: ["SYS_TIME"] - drop: - - CAP_NET_RAW - containers: - - name: add-capabilities - image: busybox:1.35 - securityContext: - capabilities: - add: ["SYS_TIME"] - drop: - - CAP_NET_RAW - - name: add-capabilities-again - image: busybox:1.35 ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - name: dropall-baddeployment02 -spec: - replicas: 1 - selector: - matchLabels: - app: app - template: - metadata: - labels: - app: app - spec: - initContainers: - - name: init - image: busybox:1.35 - securityContext: - capabilities: - add: ["SYS_TIME"] - drop: - - CAP_NET_RAW - - name: init2 - image: busybox:1.35 - containers: - - name: add-capabilities - image: busybox:1.35 - securityContext: - capabilities: - add: ["SYS_TIME"] - drop: - - CAP_NET_RAW - - name: add-capabilities-again - image: busybox:1.35 - securityContext: - capabilities: - add: ["SYS_TIME"] - drop: - - CAP_NET_RAW ---- -apiVersion: batch/v1 -kind: CronJob -metadata: - name: dropall-badcronjob01 -spec: - schedule: "*/1 * * * *" - jobTemplate: - spec: - template: - spec: - restartPolicy: OnFailure - initContainers: - - name: init - image: busybox:1.35 - securityContext: - capabilities: - add: ["SYS_TIME"] - drop: - - CAP_NET_RAW - - name: init2 - image: busybox:1.35 - containers: - - name: add-capabilities - image: busybox:1.35 - securityContext: - capabilities: - add: ["SYS_TIME"] - drop: - - CAP_NET_RAW - - name: add-capabilities-again - image: busybox:1.35 - securityContext: - capabilities: - add: ["SYS_TIME"] - drop: - - CAP_NET_RAW ---- -apiVersion: batch/v1 -kind: CronJob -metadata: - name: dropall-badcronjob02 -spec: - schedule: "*/1 * * * *" - jobTemplate: - spec: - template: - spec: - restartPolicy: OnFailure - initContainers: - - name: init - image: busybox:1.35 - securityContext: - capabilities: - add: ["SYS_TIME"] - drop: - - CAP_NET_RAW - - name: init2 - image: busybox:1.35 - securityContext: - capabilities: - add: ["SYS_TIME"] - drop: - - CAP_NET_RAW - containers: - - name: add-capabilities - image: busybox:1.35 - securityContext: - capabilities: - add: ["SYS_TIME"] - drop: - - CAP_NET_RAW - - name: add-capabilities-again - image: busybox:1.35 diff --git a/best-practices/require_drop_cap_net_raw/e2e/good-pod.yaml b/best-practices/require_drop_cap_net_raw/e2e/good-pod.yaml deleted file mode 100644 index 0063c7c0..00000000 --- a/best-practices/require_drop_cap_net_raw/e2e/good-pod.yaml +++ /dev/null @@ -1,25 +0,0 @@ -apiVersion: v1 -kind: Pod -metadata: - name: drop-capnetraw-good -spec: - initContainers: - - name: init - image: busybox:1.35 - securityContext: - capabilities: - drop: - - CAP_NET_RAW - containers: - - name: add-capabilities - image: busybox:1.35 - securityContext: - capabilities: - drop: - - CAP_NET_RAW - - name: add-capabilities-again - image: busybox:1.35 - securityContext: - capabilities: - drop: - - CAP_NET_RAW diff --git a/best-practices/require_drop_cap_net_raw/e2e/good-podcontrollers.yaml b/best-practices/require_drop_cap_net_raw/e2e/good-podcontrollers.yaml deleted file mode 100644 index ebe05d7f..00000000 --- a/best-practices/require_drop_cap_net_raw/e2e/good-podcontrollers.yaml +++ /dev/null @@ -1,86 +0,0 @@ -apiVersion: apps/v1 -kind: Deployment -metadata: - name: dropcapnetraw-gooddeployment01 -spec: - replicas: 1 - selector: - matchLabels: - app: app - template: - metadata: - labels: - app: app - spec: - initContainers: - - name: init - image: busybox:1.35 - securityContext: - capabilities: - add: ["SYS_TIME"] - drop: - - CAP_NET_RAW - - name: init2 - image: busybox:1.35 - securityContext: - capabilities: - add: ["SYS_TIME"] - drop: - - CAP_NET_RAW - containers: - - name: add-capabilities - image: busybox:1.35 - securityContext: - capabilities: - add: ["SYS_TIME"] - drop: - - CAP_NET_RAW - - name: add-capabilities-again - image: busybox:1.35 - securityContext: - capabilities: - add: ["SYS_TIME"] - drop: - - CAP_NET_RAW ---- -apiVersion: batch/v1 -kind: CronJob -metadata: - name: dropcapnetraw-goodcronjob01 -spec: - schedule: "*/1 * * * *" - jobTemplate: - spec: - template: - spec: - restartPolicy: OnFailure - initContainers: - - name: init - image: busybox:1.35 - securityContext: - capabilities: - add: ["SYS_TIME"] - drop: - - CAP_NET_RAW - - name: init2 - image: busybox:1.35 - securityContext: - capabilities: - add: ["SYS_TIME"] - drop: - - CAP_NET_RAW - containers: - - name: add-capabilities - image: busybox:1.35 - securityContext: - capabilities: - add: ["SYS_TIME"] - drop: - - CAP_NET_RAW - - name: add-capabilities-again - image: busybox:1.35 - securityContext: - capabilities: - add: ["SYS_TIME"] - drop: - - CAP_NET_RAW diff --git a/best-practices/require_labels/e2e/01-policy.yaml b/best-practices/require_labels/e2e/01-policy.yaml deleted file mode 100644 index 9694930f..00000000 --- a/best-practices/require_labels/e2e/01-policy.yaml +++ /dev/null @@ -1,6 +0,0 @@ -apiVersion: kuttl.dev/v1beta1 -kind: TestStep -apply: -- ../require_labels.yaml -assert: -- policy-assert.yaml diff --git a/best-practices/require_labels/e2e/02-enforce.yaml b/best-practices/require_labels/e2e/02-enforce.yaml deleted file mode 100644 index b04c0d7b..00000000 --- a/best-practices/require_labels/e2e/02-enforce.yaml +++ /dev/null @@ -1,5 +0,0 @@ -apiVersion: kuttl.dev/v1beta1 -kind: TestStep -commands: -- script: | - sed 's/validationFailureAction: audit/validationFailureAction: Enforce/' ../require_labels.yaml | kubectl apply -f - diff --git a/best-practices/require_labels/e2e/04-manifests.yaml b/best-practices/require_labels/e2e/04-manifests.yaml deleted file mode 100644 index 0a513c98..00000000 --- a/best-practices/require_labels/e2e/04-manifests.yaml +++ /dev/null @@ -1,13 +0,0 @@ -apiVersion: kuttl.dev/v1beta1 -kind: TestStep -apply: -- file: good-pods.yaml - shouldFail: false -- file: good-podcontrollers.yaml - shouldFail: false -- file: bad-pod-nolabel.yaml - shouldFail: true -- file: bad-pod-somelabel.yaml - shouldFail: true -- file: bad-podcontrollers.yaml - shouldFail: true diff --git a/best-practices/require_labels/e2e/99-delete.yaml b/best-practices/require_labels/e2e/99-delete.yaml deleted file mode 100644 index 36ddfef8..00000000 --- a/best-practices/require_labels/e2e/99-delete.yaml +++ /dev/null @@ -1,6 +0,0 @@ -apiVersion: kuttl.dev/v1beta1 -kind: TestStep -delete: -- apiVersion: kyverno.io/v1 - kind: ClusterPolicy - name: require-labels diff --git a/best-practices/require_labels/e2e/bad-pod-nolabel.yaml b/best-practices/require_labels/e2e/bad-pod-nolabel.yaml deleted file mode 100644 index a1427ea3..00000000 --- a/best-practices/require_labels/e2e/bad-pod-nolabel.yaml +++ /dev/null @@ -1,8 +0,0 @@ -apiVersion: v1 -kind: Pod -metadata: - name: badpod-nolabel -spec: - containers: - - name: busybox - image: busybox:1.35 diff --git a/best-practices/require_labels/e2e/bad-pod-somelabel.yaml b/best-practices/require_labels/e2e/bad-pod-somelabel.yaml deleted file mode 100644 index b01774b6..00000000 --- a/best-practices/require_labels/e2e/bad-pod-somelabel.yaml +++ /dev/null @@ -1,10 +0,0 @@ -apiVersion: v1 -kind: Pod -metadata: - name: badpod-somelabel - labels: - my.io/foo: bar -spec: - containers: - - name: busybox - image: busybox:1.35 diff --git a/best-practices/require_labels/e2e/bad-podcontrollers.yaml b/best-practices/require_labels/e2e/bad-podcontrollers.yaml deleted file mode 100644 index 732f37c1..00000000 --- a/best-practices/require_labels/e2e/bad-podcontrollers.yaml +++ /dev/null @@ -1,35 +0,0 @@ -apiVersion: apps/v1 -kind: Deployment -metadata: - name: reqlabels-baddeployment01 -spec: - replicas: 1 - selector: - matchLabels: - app: app - template: - metadata: - labels: - foo: bar - spec: - containers: - - name: busybox - image: busybox:1.35 ---- -apiVersion: batch/v1 -kind: CronJob -metadata: - name: reqlabels-badcronjob01 -spec: - schedule: "*/1 * * * *" - jobTemplate: - spec: - template: - metadata: - labels: - foo: bar - spec: - restartPolicy: OnFailure - containers: - - name: busybox - image: busybox:1.35 diff --git a/best-practices/require_labels/e2e/good-podcontrollers.yaml b/best-practices/require_labels/e2e/good-podcontrollers.yaml deleted file mode 100644 index 7d3866a5..00000000 --- a/best-practices/require_labels/e2e/good-podcontrollers.yaml +++ /dev/null @@ -1,38 +0,0 @@ -apiVersion: apps/v1 -kind: Deployment -metadata: - name: reqlabels-gooddeployment01 -spec: - replicas: 1 - selector: - matchLabels: - foo: bar - app.kubernetes.io/name: bar - template: - metadata: - labels: - foo: bar - app.kubernetes.io/name: bar - spec: - containers: - - name: busybox - image: busybox:1.35 ---- -apiVersion: batch/v1 -kind: CronJob -metadata: - name: reqlabels-goodcronjob01 -spec: - schedule: "*/1 * * * *" - jobTemplate: - spec: - template: - metadata: - labels: - foo: bar - app.kubernetes.io/name: bar - spec: - restartPolicy: OnFailure - containers: - - name: busybox - image: busybox:1.35 diff --git a/best-practices/require_labels/e2e/good-pods.yaml b/best-practices/require_labels/e2e/good-pods.yaml deleted file mode 100644 index 0df55f78..00000000 --- a/best-practices/require_labels/e2e/good-pods.yaml +++ /dev/null @@ -1,22 +0,0 @@ -apiVersion: v1 -kind: Pod -metadata: - name: goodpod01-label - labels: - app.kubernetes.io/name: busybox -spec: - containers: - - name: busybox - image: busybox:1.35 ---- -apiVersion: v1 -kind: Pod -metadata: - name: goodpod02-label - labels: - foo: bar - app.kubernetes.io/name: busybox -spec: - containers: - - name: busybox - image: busybox:1.35 diff --git a/best-practices/require_pod_requests_limits/e2e/01-policy.yaml b/best-practices/require_pod_requests_limits/e2e/01-policy.yaml deleted file mode 100644 index 7d85d601..00000000 --- a/best-practices/require_pod_requests_limits/e2e/01-policy.yaml +++ /dev/null @@ -1,6 +0,0 @@ -apiVersion: kuttl.dev/v1beta1 -kind: TestStep -apply: -- ../require_pod_requests_limits.yaml -assert: -- policy-assert.yaml diff --git a/best-practices/require_pod_requests_limits/e2e/02-enforce.yaml b/best-practices/require_pod_requests_limits/e2e/02-enforce.yaml deleted file mode 100644 index 36a6a593..00000000 --- a/best-practices/require_pod_requests_limits/e2e/02-enforce.yaml +++ /dev/null @@ -1,5 +0,0 @@ -apiVersion: kuttl.dev/v1beta1 -kind: TestStep -commands: -- script: | - sed 's/validationFailureAction: audit/validationFailureAction: Enforce/' ../require_pod_requests_limits.yaml | kubectl apply -f - diff --git a/best-practices/require_pod_requests_limits/e2e/03-enforce-policy-assert.yaml b/best-practices/require_pod_requests_limits/e2e/03-enforce-policy-assert.yaml deleted file mode 100644 index 95d59fe5..00000000 --- a/best-practices/require_pod_requests_limits/e2e/03-enforce-policy-assert.yaml +++ /dev/null @@ -1,11 +0,0 @@ -apiVersion: kyverno.io/v1 -kind: ClusterPolicy -metadata: - name: require-requests-limits -spec: - validationFailureAction: Enforce -status: - conditions: - - reason: Succeeded - status: "True" - type: Ready diff --git a/best-practices/require_pod_requests_limits/e2e/04-manifests.yaml b/best-practices/require_pod_requests_limits/e2e/04-manifests.yaml deleted file mode 100644 index 3f4a3cc0..00000000 --- a/best-practices/require_pod_requests_limits/e2e/04-manifests.yaml +++ /dev/null @@ -1,15 +0,0 @@ -apiVersion: kuttl.dev/v1beta1 -kind: TestStep -apply: -- file: good-pods.yaml - shouldFail: false -- file: good-podcontrollers.yaml - shouldFail: false -- file: bad-pod-nolimit.yaml - shouldFail: true -- file: bad-pod-nores.yaml - shouldFail: true -- file: bad-pod-nothing.yaml - shouldFail: true -- file: bad-podcontrollers.yaml - shouldFail: true diff --git a/best-practices/require_pod_requests_limits/e2e/99-delete.yaml b/best-practices/require_pod_requests_limits/e2e/99-delete.yaml deleted file mode 100644 index 74621378..00000000 --- a/best-practices/require_pod_requests_limits/e2e/99-delete.yaml +++ /dev/null @@ -1,6 +0,0 @@ -apiVersion: kuttl.dev/v1beta1 -kind: TestStep -delete: -- apiVersion: kyverno.io/v1 - kind: ClusterPolicy - name: require-requests-limits diff --git a/best-practices/require_pod_requests_limits/e2e/bad-pod-nolimit.yaml b/best-practices/require_pod_requests_limits/e2e/bad-pod-nolimit.yaml deleted file mode 100644 index d8d9045f..00000000 --- a/best-practices/require_pod_requests_limits/e2e/bad-pod-nolimit.yaml +++ /dev/null @@ -1,14 +0,0 @@ -apiVersion: v1 -kind: Pod -metadata: - name: badpod-nolimit - labels: - app: myapp -spec: - containers: - - name: busybox - image: busybox:1.35 - resources: - requests: - memory: "256Mi" - cpu: "0.5" diff --git a/best-practices/require_pod_requests_limits/e2e/bad-pod-nores.yaml b/best-practices/require_pod_requests_limits/e2e/bad-pod-nores.yaml deleted file mode 100644 index 7d694f31..00000000 --- a/best-practices/require_pod_requests_limits/e2e/bad-pod-nores.yaml +++ /dev/null @@ -1,37 +0,0 @@ -apiVersion: v1 -kind: Pod -metadata: - name: badpod-nores - labels: - app: myapp -spec: - containers: - - name: busybox - image: busybox:1.35 - - name: busybox-again - image: busybox:1.35 - resources: - requests: - memory: "256Mi" - cpu: "0.5" - limits: - memory: "256Mi" ---- -apiVersion: v1 -kind: Pod -metadata: - name: badpod-nores - labels: - app: myapp -spec: - containers: - - name: busybox - image: busybox:1.35 - resources: - requests: - memory: "256Mi" - cpu: "0.5" - limits: - memory: "256Mi" - - name: busybox-again - image: busybox:1.35 diff --git a/best-practices/require_pod_requests_limits/e2e/bad-pod-nothing.yaml b/best-practices/require_pod_requests_limits/e2e/bad-pod-nothing.yaml deleted file mode 100644 index 7baca6ba..00000000 --- a/best-practices/require_pod_requests_limits/e2e/bad-pod-nothing.yaml +++ /dev/null @@ -1,11 +0,0 @@ - -apiVersion: v1 -kind: Pod -metadata: - name: badpod-nothing - labels: - app: myapp -spec: - containers: - - name: busybox - image: busybox:v1.35 diff --git a/best-practices/require_pod_requests_limits/e2e/bad-podcontrollers.yaml b/best-practices/require_pod_requests_limits/e2e/bad-podcontrollers.yaml deleted file mode 100644 index f0fbe1b7..00000000 --- a/best-practices/require_pod_requests_limits/e2e/bad-podcontrollers.yaml +++ /dev/null @@ -1,48 +0,0 @@ -apiVersion: apps/v1 -kind: Deployment -metadata: - name: reqpodlimits-baddeployment01 -spec: - replicas: 1 - selector: - matchLabels: - foo: bar - template: - metadata: - labels: - foo: bar - spec: - containers: - - name: busybox - image: busybox - - name: busybox-again - image: busybox - resources: - requests: - memory: "50Mi" - cpu: "100m" - limits: - memory: "100Mi" ---- -apiVersion: batch/v1 -kind: CronJob -metadata: - name: reqpodlimits-badcronjob01 -spec: - schedule: "*/1 * * * *" - jobTemplate: - spec: - template: - spec: - restartPolicy: OnFailure - containers: - - name: busybox - image: busybox - - name: busybox-again - image: busybox - resources: - requests: - memory: "50Mi" - cpu: "100m" - limits: - memory: "100Mi" diff --git a/best-practices/require_pod_requests_limits/e2e/good-podcontrollers.yaml b/best-practices/require_pod_requests_limits/e2e/good-podcontrollers.yaml deleted file mode 100644 index a94b57bf..00000000 --- a/best-practices/require_pod_requests_limits/e2e/good-podcontrollers.yaml +++ /dev/null @@ -1,60 +0,0 @@ -apiVersion: apps/v1 -kind: Deployment -metadata: - name: reqpodlimits-gooddeployment01 -spec: - replicas: 1 - selector: - matchLabels: - foo: bar - template: - metadata: - labels: - foo: bar - spec: - containers: - - name: busybox - image: busybox - resources: - requests: - memory: "50Mi" - cpu: "100m" - limits: - memory: "100Mi" - - name: busybox-again - image: busybox - resources: - requests: - memory: "50Mi" - cpu: "100m" - limits: - memory: "100Mi" ---- -apiVersion: batch/v1 -kind: CronJob -metadata: - name: reqpodlimits-goodcronjob01 -spec: - schedule: "*/1 * * * *" - jobTemplate: - spec: - template: - spec: - restartPolicy: OnFailure - containers: - - name: busybox - image: busybox - resources: - requests: - memory: "50Mi" - cpu: "100m" - limits: - memory: "100Mi" - - name: busybox-again - image: busybox - resources: - requests: - memory: "50Mi" - cpu: "100m" - limits: - memory: "100Mi" diff --git a/best-practices/require_pod_requests_limits/e2e/good-pods.yaml b/best-practices/require_pod_requests_limits/e2e/good-pods.yaml deleted file mode 100644 index 50f8779b..00000000 --- a/best-practices/require_pod_requests_limits/e2e/good-pods.yaml +++ /dev/null @@ -1,41 +0,0 @@ -apiVersion: v1 -kind: Pod -metadata: - name: goodpod01 - labels: - app: myapp -spec: - containers: - - name: busybox - image: busybox - resources: - requests: - memory: "50Mi" - cpu: "100m" - limits: - memory: "100Mi" ---- -apiVersion: v1 -kind: Pod -metadata: - name: goodpod02 - labels: - app: myapp -spec: - containers: - - name: busybox - image: busybox - resources: - requests: - memory: "50Mi" - cpu: "100m" - limits: - memory: "100Mi" - - name: busybox-again - image: busybox - resources: - requests: - memory: "50Mi" - cpu: "100m" - limits: - memory: "100Mi" diff --git a/best-practices/require_pod_requests_limits/e2e/policy-assert.yaml b/best-practices/require_pod_requests_limits/e2e/policy-assert.yaml deleted file mode 100644 index eb7dd5f1..00000000 --- a/best-practices/require_pod_requests_limits/e2e/policy-assert.yaml +++ /dev/null @@ -1,11 +0,0 @@ -apiVersion: kyverno.io/v1 -kind: ClusterPolicy -metadata: - name: require-requests-limits -spec: - validationFailureAction: Audit -status: - conditions: - - reason: Succeeded - status: "True" - type: Ready diff --git a/best-practices/require_probes/e2e/01-policy.yaml b/best-practices/require_probes/e2e/01-policy.yaml deleted file mode 100644 index 164f5832..00000000 --- a/best-practices/require_probes/e2e/01-policy.yaml +++ /dev/null @@ -1,6 +0,0 @@ -apiVersion: kuttl.dev/v1beta1 -kind: TestStep -apply: -- ../require_probes.yaml -assert: -- policy-assert.yaml diff --git a/best-practices/require_probes/e2e/02-enforce.yaml b/best-practices/require_probes/e2e/02-enforce.yaml deleted file mode 100644 index b0da21ec..00000000 --- a/best-practices/require_probes/e2e/02-enforce.yaml +++ /dev/null @@ -1,5 +0,0 @@ -apiVersion: kuttl.dev/v1beta1 -kind: TestStep -commands: -- script: | - sed 's/validationFailureAction: audit/validationFailureAction: Enforce/' ../require_probes.yaml | kubectl apply -f - diff --git a/best-practices/require_probes/e2e/04-manifests.yaml b/best-practices/require_probes/e2e/04-manifests.yaml deleted file mode 100644 index 38893873..00000000 --- a/best-practices/require_probes/e2e/04-manifests.yaml +++ /dev/null @@ -1,13 +0,0 @@ -apiVersion: kuttl.dev/v1beta1 -kind: TestStep -apply: -- file: good-pods.yaml - shouldFail: false -- file: good-podcontrollers.yaml - shouldFail: false -- file: bad-pod-nothing.yaml - shouldFail: true -- file: bad-pod-notall.yaml - shouldFail: true -- file: bad-podcontrollers.yaml - shouldFail: true diff --git a/best-practices/require_probes/e2e/05-pod-update.yaml b/best-practices/require_probes/e2e/05-pod-update.yaml deleted file mode 100644 index c177f63e..00000000 --- a/best-practices/require_probes/e2e/05-pod-update.yaml +++ /dev/null @@ -1,5 +0,0 @@ -apiVersion: kuttl.dev/v1beta1 -kind: TestStep -apply: -- file: bad-pod-update.yaml - shouldFail: true diff --git a/best-practices/require_probes/e2e/99-delete.yaml b/best-practices/require_probes/e2e/99-delete.yaml deleted file mode 100644 index 446c4a65..00000000 --- a/best-practices/require_probes/e2e/99-delete.yaml +++ /dev/null @@ -1,6 +0,0 @@ -apiVersion: kuttl.dev/v1beta1 -kind: TestStep -delete: -- apiVersion: kyverno.io/v1 - kind: ClusterPolicy - name: require-pod-probes diff --git a/best-practices/require_probes/e2e/bad-pod-notall.yaml b/best-practices/require_probes/e2e/bad-pod-notall.yaml deleted file mode 100644 index 469ce444..00000000 --- a/best-practices/require_probes/e2e/bad-pod-notall.yaml +++ /dev/null @@ -1,37 +0,0 @@ -apiVersion: v1 -kind: Pod -metadata: - name: badpod02 - labels: - app: myapp -spec: - containers: - - name: busybox - image: busybox:1.35 - ports: - - containerPort: 8080 - readinessProbe: - tcpSocket: - port: 8080 - periodSeconds: 10 - - name: busybox - image: busybox:1.35 ---- -apiVersion: v1 -kind: Pod -metadata: - name: badpod03 - labels: - app: myapp -spec: - containers: - - name: busybox - image: busybox:1.35 - - name: busybox - image: busybox:1.35 - ports: - - containerPort: 8080 - readinessProbe: - tcpSocket: - port: 8080 - periodSeconds: 10 diff --git a/best-practices/require_probes/e2e/bad-pod-nothing.yaml b/best-practices/require_probes/e2e/bad-pod-nothing.yaml deleted file mode 100644 index 249e3954..00000000 --- a/best-practices/require_probes/e2e/bad-pod-nothing.yaml +++ /dev/null @@ -1,10 +0,0 @@ -apiVersion: v1 -kind: Pod -metadata: - name: badpod01 - labels: - app: myapp -spec: - containers: - - name: busybox - image: busybox:1.35 diff --git a/best-practices/require_probes/e2e/bad-pod-update.yaml b/best-practices/require_probes/e2e/bad-pod-update.yaml deleted file mode 100644 index 22275d33..00000000 --- a/best-practices/require_probes/e2e/bad-pod-update.yaml +++ /dev/null @@ -1,10 +0,0 @@ -apiVersion: v1 -kind: Pod -metadata: - name: goodpod01 - labels: - app: myapp -spec: - containers: - - name: evil-box - image: busybox:1.35 diff --git a/best-practices/require_probes/e2e/bad-podcontrollers.yaml b/best-practices/require_probes/e2e/bad-podcontrollers.yaml deleted file mode 100644 index 1a2f753f..00000000 --- a/best-practices/require_probes/e2e/bad-podcontrollers.yaml +++ /dev/null @@ -1,23 +0,0 @@ -apiVersion: apps/v1 -kind: Deployment -metadata: - name: reqprobes-baddeployment01 -spec: - replicas: 1 - selector: - matchLabels: - foo: bar - template: - metadata: - labels: - foo: bar - spec: - containers: - - name: busybox - image: busybox:1.35 - livenessProbe: - tcpSocket: - port: 7070 - periodSeconds: 20 - - name: busybox-again - image: busybox:1.35 diff --git a/best-practices/require_probes/e2e/good-podcontrollers.yaml b/best-practices/require_probes/e2e/good-podcontrollers.yaml deleted file mode 100644 index ee2bbaaa..00000000 --- a/best-practices/require_probes/e2e/good-podcontrollers.yaml +++ /dev/null @@ -1,27 +0,0 @@ -apiVersion: apps/v1 -kind: Deployment -metadata: - name: reqprobes-gooddeployment01 -spec: - replicas: 1 - selector: - matchLabels: - foo: bar - template: - metadata: - labels: - foo: bar - spec: - containers: - - name: busybox - image: busybox:1.35 - livenessProbe: - tcpSocket: - port: 7070 - periodSeconds: 20 - - name: busybox-again - image: busybox:1.35 - readinessProbe: - tcpSocket: - port: 8080 - periodSeconds: 10 diff --git a/best-practices/require_probes/e2e/good-pods.yaml b/best-practices/require_probes/e2e/good-pods.yaml deleted file mode 100644 index 61faad23..00000000 --- a/best-practices/require_probes/e2e/good-pods.yaml +++ /dev/null @@ -1,49 +0,0 @@ -apiVersion: v1 -kind: Pod -metadata: - name: goodpod01 - labels: - app: myapp -spec: - containers: - - name: busybox - image: busybox:1.35 - livenessProbe: - tcpSocket: - port: 7070 - periodSeconds: 20 ---- -apiVersion: v1 -kind: Pod -metadata: - name: goodpod02 - labels: - app: myapp -spec: - containers: - - name: busybox - image: busybox:1.35 - livenessProbe: - tcpSocket: - port: 7070 - periodSeconds: 20 - - name: busybox-again - image: busybox:1.35 - readinessProbe: - tcpSocket: - port: 8080 - periodSeconds: 10 ---- -apiVersion: v1 -kind: Pod -metadata: - name: goodpod03 - labels: - app: myapp -spec: - containers: - - name: busybox - image: busybox:1.35 - startupProbe: - grpc: - port: 8888 diff --git a/best-practices/require_ro_rootfs/e2e/01-policy.yaml b/best-practices/require_ro_rootfs/e2e/01-policy.yaml deleted file mode 100644 index f290dbe4..00000000 --- a/best-practices/require_ro_rootfs/e2e/01-policy.yaml +++ /dev/null @@ -1,6 +0,0 @@ -apiVersion: kuttl.dev/v1beta1 -kind: TestStep -apply: -- ../require_ro_rootfs.yaml -assert: -- policy-assert.yaml diff --git a/best-practices/require_ro_rootfs/e2e/02-enforce.yaml b/best-practices/require_ro_rootfs/e2e/02-enforce.yaml deleted file mode 100644 index a2d15479..00000000 --- a/best-practices/require_ro_rootfs/e2e/02-enforce.yaml +++ /dev/null @@ -1,5 +0,0 @@ -apiVersion: kuttl.dev/v1beta1 -kind: TestStep -commands: -- script: | - sed 's/validationFailureAction: audit/validationFailureAction: Enforce/' ../require_ro_rootfs.yaml | kubectl apply -f - diff --git a/best-practices/require_ro_rootfs/e2e/04-manifests.yaml b/best-practices/require_ro_rootfs/e2e/04-manifests.yaml deleted file mode 100644 index 8e467e3b..00000000 --- a/best-practices/require_ro_rootfs/e2e/04-manifests.yaml +++ /dev/null @@ -1,15 +0,0 @@ -apiVersion: kuttl.dev/v1beta1 -kind: TestStep -apply: -- file: good-pods.yaml - shouldFail: false -- file: good-podcontrollers.yaml - shouldFail: false -- file: bad-pod-nothing.yaml - shouldFail: true -- file: bad-pod-notall.yaml - shouldFail: true -- file: bad-pod-false.yaml - shouldFail: true -- file: bad-podcontrollers.yaml - shouldFail: true diff --git a/best-practices/require_ro_rootfs/e2e/99-delete.yaml b/best-practices/require_ro_rootfs/e2e/99-delete.yaml deleted file mode 100644 index 8c4b009d..00000000 --- a/best-practices/require_ro_rootfs/e2e/99-delete.yaml +++ /dev/null @@ -1,6 +0,0 @@ -apiVersion: kuttl.dev/v1beta1 -kind: TestStep -delete: -- apiVersion: kyverno.io/v1 - kind: ClusterPolicy - name: require-ro-rootfs diff --git a/best-practices/require_ro_rootfs/e2e/bad-pod-false.yaml b/best-practices/require_ro_rootfs/e2e/bad-pod-false.yaml deleted file mode 100644 index 7f8620cc..00000000 --- a/best-practices/require_ro_rootfs/e2e/bad-pod-false.yaml +++ /dev/null @@ -1,10 +0,0 @@ -apiVersion: v1 -kind: Pod -metadata: - name: badpod01 -spec: - containers: - - name: busybox - image: busybox:1.35 - securityContext: - readOnlyRootFilesystem: false diff --git a/best-practices/require_ro_rootfs/e2e/bad-pod-notall.yaml b/best-practices/require_ro_rootfs/e2e/bad-pod-notall.yaml deleted file mode 100644 index 247753ac..00000000 --- a/best-practices/require_ro_rootfs/e2e/bad-pod-notall.yaml +++ /dev/null @@ -1,25 +0,0 @@ -apiVersion: v1 -kind: Pod -metadata: - name: badpod-roroot -spec: - containers: - - name: busybox - image: busybox:1.35 - - name: busybox - image: busybox:1.35 - securityContext: - readOnlyRootFilesystem: true ---- -apiVersion: v1 -kind: Pod -metadata: - name: badpod-roroot -spec: - containers: - - name: busybox - image: busybox:1.35 - securityContext: - readOnlyRootFilesystem: true - - name: busybox - image: busybox:1.35 diff --git a/best-practices/require_ro_rootfs/e2e/bad-pod-nothing.yaml b/best-practices/require_ro_rootfs/e2e/bad-pod-nothing.yaml deleted file mode 100644 index 3ec7fbdf..00000000 --- a/best-practices/require_ro_rootfs/e2e/bad-pod-nothing.yaml +++ /dev/null @@ -1,8 +0,0 @@ -apiVersion: v1 -kind: Pod -metadata: - name: badpod02-roroot -spec: - containers: - - name: busybox - image: busybox:1.35 diff --git a/best-practices/require_ro_rootfs/e2e/bad-podcontrollers.yaml b/best-practices/require_ro_rootfs/e2e/bad-podcontrollers.yaml deleted file mode 100644 index 2514c155..00000000 --- a/best-practices/require_ro_rootfs/e2e/bad-podcontrollers.yaml +++ /dev/null @@ -1,40 +0,0 @@ -apiVersion: apps/v1 -kind: Deployment -metadata: - name: reqro-baddeployment01 -spec: - replicas: 1 - selector: - matchLabels: - app: app - template: - metadata: - labels: - foo: bar - spec: - containers: - - name: busybox - image: busybox:1.35 - - name: busybox-again - image: busybox:1.35 - securityContext: - readOnlyRootFilesystem: true ---- -apiVersion: batch/v1 -kind: CronJob -metadata: - name: reqro-badcronjob01 -spec: - schedule: "*/1 * * * *" - jobTemplate: - spec: - template: - spec: - restartPolicy: OnFailure - containers: - - name: busybox - image: busybox:1.35 - - name: busybox-again - image: busybox:1.35 - securityContext: - readOnlyRootFilesystem: true diff --git a/best-practices/require_ro_rootfs/e2e/good-podcontrollers.yaml b/best-practices/require_ro_rootfs/e2e/good-podcontrollers.yaml deleted file mode 100644 index e9b4520c..00000000 --- a/best-practices/require_ro_rootfs/e2e/good-podcontrollers.yaml +++ /dev/null @@ -1,44 +0,0 @@ -apiVersion: apps/v1 -kind: Deployment -metadata: - name: reqro-gooddeployment01 -spec: - replicas: 1 - selector: - matchLabels: - foo: bar - template: - metadata: - labels: - foo: bar - spec: - containers: - - name: busybox - image: busybox:1.35 - securityContext: - readOnlyRootFilesystem: true - - name: busybox-again - image: busybox:1.35 - securityContext: - readOnlyRootFilesystem: true ---- -apiVersion: batch/v1 -kind: CronJob -metadata: - name: reqprobes-goodcronjob01 -spec: - schedule: "*/1 * * * *" - jobTemplate: - spec: - template: - spec: - restartPolicy: OnFailure - containers: - - name: busybox - image: busybox:1.35 - securityContext: - readOnlyRootFilesystem: true - - name: busybox-again - image: busybox:1.35 - securityContext: - readOnlyRootFilesystem: true diff --git a/best-practices/require_ro_rootfs/e2e/good-pods.yaml b/best-practices/require_ro_rootfs/e2e/good-pods.yaml deleted file mode 100644 index 7374c2e9..00000000 --- a/best-practices/require_ro_rootfs/e2e/good-pods.yaml +++ /dev/null @@ -1,25 +0,0 @@ -apiVersion: v1 -kind: Pod -metadata: - name: goodpod01-roroot -spec: - containers: - - name: busybox - image: busybox:1.35 - securityContext: - readOnlyRootFilesystem: true ---- -apiVersion: v1 -kind: Pod -metadata: - name: goodpod02-roroot -spec: - containers: - - name: busybox - image: busybox:1.35 - securityContext: - readOnlyRootFilesystem: true - - name: busybox-again - image: busybox:1.35 - securityContext: - readOnlyRootFilesystem: true diff --git a/best-practices/require_ro_rootfs/e2e/policy-assert.yaml b/best-practices/require_ro_rootfs/e2e/policy-assert.yaml deleted file mode 100644 index cc9de696..00000000 --- a/best-practices/require_ro_rootfs/e2e/policy-assert.yaml +++ /dev/null @@ -1,11 +0,0 @@ -apiVersion: kyverno.io/v1 -kind: ClusterPolicy -metadata: - name: require-ro-rootfs -spec: - validationFailureAction: Audit -status: - conditions: - - reason: Succeeded - status: "True" - type: Ready diff --git a/best-practices/restrict-service-external-ips/e2e/01-policy.yaml b/best-practices/restrict-service-external-ips/e2e/01-policy.yaml deleted file mode 100644 index a007c62c..00000000 --- a/best-practices/restrict-service-external-ips/e2e/01-policy.yaml +++ /dev/null @@ -1,6 +0,0 @@ -apiVersion: kuttl.dev/v1beta1 -kind: TestStep -apply: -- ../restrict-service-external-ips.yaml -assert: -- policy-assert.yaml diff --git a/best-practices/restrict-service-external-ips/e2e/02-enforce.yaml b/best-practices/restrict-service-external-ips/e2e/02-enforce.yaml deleted file mode 100644 index a734e53c..00000000 --- a/best-practices/restrict-service-external-ips/e2e/02-enforce.yaml +++ /dev/null @@ -1,5 +0,0 @@ -apiVersion: kuttl.dev/v1beta1 -kind: TestStep -commands: -- script: | - sed 's/validationFailureAction: audit/validationFailureAction: Enforce/' ../restrict-service-external-ips.yaml | kubectl apply -f - diff --git a/best-practices/restrict-service-external-ips/e2e/03-enforce-policy-assert.yaml b/best-practices/restrict-service-external-ips/e2e/03-enforce-policy-assert.yaml deleted file mode 100644 index d05abe21..00000000 --- a/best-practices/restrict-service-external-ips/e2e/03-enforce-policy-assert.yaml +++ /dev/null @@ -1,11 +0,0 @@ -apiVersion: kyverno.io/v1 -kind: ClusterPolicy -metadata: - name: restrict-external-ips -spec: - validationFailureAction: Enforce -status: - conditions: - - reason: Succeeded - status: "True" - type: Ready diff --git a/best-practices/restrict-service-external-ips/e2e/04-manifests.yaml b/best-practices/restrict-service-external-ips/e2e/04-manifests.yaml deleted file mode 100644 index bdb861ee..00000000 --- a/best-practices/restrict-service-external-ips/e2e/04-manifests.yaml +++ /dev/null @@ -1,9 +0,0 @@ -apiVersion: kuttl.dev/v1beta1 -kind: TestStep -apply: -- file: good-services.yaml - shouldFail: false -- file: bad-service-oneip.yaml - shouldFail: true -- file: bad-service-twoeip.yaml - shouldFail: true diff --git a/best-practices/restrict-service-external-ips/e2e/99-delete.yaml b/best-practices/restrict-service-external-ips/e2e/99-delete.yaml deleted file mode 100644 index 6a60e4a3..00000000 --- a/best-practices/restrict-service-external-ips/e2e/99-delete.yaml +++ /dev/null @@ -1,6 +0,0 @@ -apiVersion: kuttl.dev/v1beta1 -kind: TestStep -delete: -- apiVersion: kyverno.io/v1 - kind: ClusterPolicy - name: restrict-external-ips diff --git a/best-practices/restrict-service-external-ips/e2e/bad-service-oneip.yaml b/best-practices/restrict-service-external-ips/e2e/bad-service-oneip.yaml deleted file mode 100644 index fff25953..00000000 --- a/best-practices/restrict-service-external-ips/e2e/bad-service-oneip.yaml +++ /dev/null @@ -1,13 +0,0 @@ -apiVersion: v1 -kind: Service -metadata: - name: badservice01-eip -spec: - selector: - app: MyApp - ports: - - protocol: TCP - port: 80 - targetPort: 9376 - externalIPs: - - 1.2.3.4 diff --git a/best-practices/restrict-service-external-ips/e2e/bad-service-twoeip.yaml b/best-practices/restrict-service-external-ips/e2e/bad-service-twoeip.yaml deleted file mode 100644 index 3935bcac..00000000 --- a/best-practices/restrict-service-external-ips/e2e/bad-service-twoeip.yaml +++ /dev/null @@ -1,14 +0,0 @@ -apiVersion: v1 -kind: Service -metadata: - name: badservice02-eip -spec: - selector: - app: MyApp - ports: - - protocol: TCP - port: 80 - targetPort: 9376 - externalIPs: - - 1.2.3.4 - - 37.10.11.53 diff --git a/best-practices/restrict-service-external-ips/e2e/good-services.yaml b/best-practices/restrict-service-external-ips/e2e/good-services.yaml deleted file mode 100644 index 010674ea..00000000 --- a/best-practices/restrict-service-external-ips/e2e/good-services.yaml +++ /dev/null @@ -1,11 +0,0 @@ -apiVersion: v1 -kind: Service -metadata: - name: goodservice01-eip -spec: - selector: - app: MyApp - ports: - - protocol: TCP - port: 80 - targetPort: 9376 diff --git a/best-practices/restrict-service-external-ips/e2e/policy-assert.yaml b/best-practices/restrict-service-external-ips/e2e/policy-assert.yaml deleted file mode 100644 index 64c32cc0..00000000 --- a/best-practices/restrict-service-external-ips/e2e/policy-assert.yaml +++ /dev/null @@ -1,11 +0,0 @@ -apiVersion: kyverno.io/v1 -kind: ClusterPolicy -metadata: - name: restrict-external-ips -spec: - validationFailureAction: Audit -status: - conditions: - - reason: Succeeded - status: "True" - type: Ready diff --git a/best-practices/restrict_node_port/e2e/01-policy.yaml b/best-practices/restrict_node_port/e2e/01-policy.yaml deleted file mode 100644 index eb3e75aa..00000000 --- a/best-practices/restrict_node_port/e2e/01-policy.yaml +++ /dev/null @@ -1,6 +0,0 @@ -apiVersion: kuttl.dev/v1beta1 -kind: TestStep -apply: -- ../restrict_node_port.yaml -assert: -- policy-assert.yaml diff --git a/best-practices/restrict_node_port/e2e/02-enforce.yaml b/best-practices/restrict_node_port/e2e/02-enforce.yaml deleted file mode 100644 index bd97c9b7..00000000 --- a/best-practices/restrict_node_port/e2e/02-enforce.yaml +++ /dev/null @@ -1,5 +0,0 @@ -apiVersion: kuttl.dev/v1beta1 -kind: TestStep -commands: -- script: | - sed 's/validationFailureAction: audit/validationFailureAction: Enforce/' ../restrict_node_port.yaml | kubectl apply -f - diff --git a/best-practices/restrict_node_port/e2e/04-manifests.yaml b/best-practices/restrict_node_port/e2e/04-manifests.yaml deleted file mode 100644 index 5ad5875f..00000000 --- a/best-practices/restrict_node_port/e2e/04-manifests.yaml +++ /dev/null @@ -1,7 +0,0 @@ -apiVersion: kuttl.dev/v1beta1 -kind: TestStep -apply: -- file: good-services.yaml - shouldFail: false -- file: bad-service-nodeport.yaml - shouldFail: true diff --git a/best-practices/restrict_node_port/e2e/99-delete.yaml b/best-practices/restrict_node_port/e2e/99-delete.yaml deleted file mode 100644 index c372736f..00000000 --- a/best-practices/restrict_node_port/e2e/99-delete.yaml +++ /dev/null @@ -1,6 +0,0 @@ -apiVersion: kuttl.dev/v1beta1 -kind: TestStep -delete: -- apiVersion: kyverno.io/v1 - kind: ClusterPolicy - name: restrict-nodeport diff --git a/best-practices/restrict_node_port/e2e/bad-service-nodeport.yaml b/best-practices/restrict_node_port/e2e/bad-service-nodeport.yaml deleted file mode 100644 index 4e99ea2b..00000000 --- a/best-practices/restrict_node_port/e2e/bad-service-nodeport.yaml +++ /dev/null @@ -1,12 +0,0 @@ -apiVersion: v1 -kind: Service -metadata: - name: badservice01-np -spec: - ports: - - name: http - nodePort: 31080 - port: 80 - protocol: TCP - targetPort: 8080 - type: NodePort diff --git a/best-practices/restrict_node_port/e2e/good-services.yaml b/best-practices/restrict_node_port/e2e/good-services.yaml deleted file mode 100644 index 1acafde7..00000000 --- a/best-practices/restrict_node_port/e2e/good-services.yaml +++ /dev/null @@ -1,24 +0,0 @@ -apiVersion: v1 -kind: Service -metadata: - name: goodservice01-np -spec: - ports: - - name: http - port: 80 - protocol: TCP - targetPort: 8080 - type: ClusterIP ---- -apiVersion: v1 -kind: Service -metadata: - name: goodservice02-np -spec: - selector: - app: MyApp - ports: - - protocol: TCP - port: 80 - targetPort: 9376 - type: LoadBalancer diff --git a/charts/best-practices-workload-security/Chart.yaml b/charts/best-practices-workload-security/Chart.yaml index 1360ec73..f0fdaf0a 100644 --- a/charts/best-practices-workload-security/Chart.yaml +++ b/charts/best-practices-workload-security/Chart.yaml @@ -2,7 +2,7 @@ apiVersion: v2 name: workload-security-best-practice-policies description: Workload Security Best Practice policy set type: application -version: 0.2.0 +version: 0.2.1 appVersion: 0.1.0 keywords: - kubernetes diff --git a/charts/best-practices-workload-security/templates/e2e/01-policy.yaml b/charts/best-practices-workload-security/templates/e2e/01-policy.yaml deleted file mode 100644 index 1c19d47e..00000000 --- a/charts/best-practices-workload-security/templates/e2e/01-policy.yaml +++ /dev/null @@ -1,6 +0,0 @@ -apiVersion: kuttl.dev/v1beta1 -kind: TestStep -apply: -- ../restrict_image_registries.yaml -assert: -- policy-assert.yaml diff --git a/charts/best-practices-workload-security/templates/e2e/02-enforce.yaml b/charts/best-practices-workload-security/templates/e2e/02-enforce.yaml deleted file mode 100644 index e7ca7dfd..00000000 --- a/charts/best-practices-workload-security/templates/e2e/02-enforce.yaml +++ /dev/null @@ -1,5 +0,0 @@ -apiVersion: kuttl.dev/v1beta1 -kind: TestStep -commands: -- script: | - sed 's/validationFailureAction: audit/validationFailureAction: Enforce/' ../restrict_image_registries.yaml | kubectl apply -f - diff --git a/charts/best-practices-workload-security/templates/e2e/03-enforce-policy-assert.yaml b/charts/best-practices-workload-security/templates/e2e/03-enforce-policy-assert.yaml deleted file mode 100644 index 4862bac1..00000000 --- a/charts/best-practices-workload-security/templates/e2e/03-enforce-policy-assert.yaml +++ /dev/null @@ -1,11 +0,0 @@ -apiVersion: kyverno.io/v1 -kind: ClusterPolicy -metadata: - name: restrict-image-registries -spec: - validationFailureAction: enforce -status: - conditions: - - reason: Succeeded - status: "True" - type: Ready diff --git a/charts/best-practices-workload-security/templates/e2e/04-manifests.yaml b/charts/best-practices-workload-security/templates/e2e/04-manifests.yaml deleted file mode 100644 index 322c6bf1..00000000 --- a/charts/best-practices-workload-security/templates/e2e/04-manifests.yaml +++ /dev/null @@ -1,15 +0,0 @@ -apiVersion: kuttl.dev/v1beta1 -kind: TestStep -apply: -- file: good-pods.yaml - shouldFail: false -- file: good-podcontrollers.yaml - shouldFail: false -- file: bad-pod-noregistry.yaml - shouldFail: true -- file: bad-pod-notall.yaml - shouldFail: true -- file: bad-pod-false.yaml - shouldFail: true -- file: bad-podcontrollers.yaml - shouldFail: true diff --git a/charts/best-practices-workload-security/templates/e2e/05-ephemeral.yaml b/charts/best-practices-workload-security/templates/e2e/05-ephemeral.yaml deleted file mode 100644 index f579a0b0..00000000 --- a/charts/best-practices-workload-security/templates/e2e/05-ephemeral.yaml +++ /dev/null @@ -1,4 +0,0 @@ -apiVersion: kuttl.dev/v1beta1 -kind: TestStep -commands: - - script: if kubectl debug -it goodpod02-registry --image=busybox:1.35 --target=k8s-nginx -n ir-pods-namespace; then exit 1; else exit 0; fi; diff --git a/charts/best-practices-workload-security/templates/e2e/98-delete.yaml b/charts/best-practices-workload-security/templates/e2e/98-delete.yaml deleted file mode 100644 index b51fdf15..00000000 --- a/charts/best-practices-workload-security/templates/e2e/98-delete.yaml +++ /dev/null @@ -1,6 +0,0 @@ -apiVersion: kuttl.dev/v1beta1 -kind: TestStep -commands: - - command: kubectl delete deployments --all --force --grace-period=0 -n ir-pods-namespace - - command: kubectl delete pods --all --force --grace-period=0 -n ir-pods-namespace - - command: kubectl delete cronjobs --all --force --grace-period=0 -n ir-pods-namespace diff --git a/charts/best-practices-workload-security/templates/e2e/99-delete.yaml b/charts/best-practices-workload-security/templates/e2e/99-delete.yaml deleted file mode 100644 index 08ea2eb2..00000000 --- a/charts/best-practices-workload-security/templates/e2e/99-delete.yaml +++ /dev/null @@ -1,6 +0,0 @@ -apiVersion: kuttl.dev/v1beta1 -kind: TestStep -delete: -- apiVersion: kyverno.io/v1 - kind: ClusterPolicy - name: restrict-image-registries diff --git a/charts/best-practices-workload-security/templates/e2e/bad-pod-false.yaml b/charts/best-practices-workload-security/templates/e2e/bad-pod-false.yaml deleted file mode 100644 index 1c367f2f..00000000 --- a/charts/best-practices-workload-security/templates/e2e/bad-pod-false.yaml +++ /dev/null @@ -1,8 +0,0 @@ -apiVersion: v1 -kind: Pod -metadata: - name: badpod01-registry -spec: - containers: - - name: k8s-nginx - image: registry.k8s.io/nginx:1.7.9 diff --git a/charts/best-practices-workload-security/templates/e2e/bad-pod-noregistry.yaml b/charts/best-practices-workload-security/templates/e2e/bad-pod-noregistry.yaml deleted file mode 100644 index 208049a2..00000000 --- a/charts/best-practices-workload-security/templates/e2e/bad-pod-noregistry.yaml +++ /dev/null @@ -1,8 +0,0 @@ -apiVersion: v1 -kind: Pod -metadata: - name: badpod04-registry -spec: - containers: - - name: k8s-nginx - image: nginx diff --git a/charts/best-practices-workload-security/templates/e2e/bad-pod-notall.yaml b/charts/best-practices-workload-security/templates/e2e/bad-pod-notall.yaml deleted file mode 100644 index 62f9130f..00000000 --- a/charts/best-practices-workload-security/templates/e2e/bad-pod-notall.yaml +++ /dev/null @@ -1,21 +0,0 @@ -apiVersion: v1 -kind: Pod -metadata: - name: badpod02-registry -spec: - containers: - - name: k8s-nginx - image: registry.k8s.io/nginx:1.7.9 - - name: busybox - image: bar.io/busybox ---- -apiVersion: v1 -kind: Pod -metadata: - name: badpod03-registry -spec: - containers: - - name: busybox - image: eu.foo.io/busybox - - name: k8s-nginx - image: registry.k8s.io/nginx:1.7.9 diff --git a/charts/best-practices-workload-security/templates/e2e/bad-podcontrollers.yaml b/charts/best-practices-workload-security/templates/e2e/bad-resource.yaml similarity index 81% rename from charts/best-practices-workload-security/templates/e2e/bad-podcontrollers.yaml rename to charts/best-practices-workload-security/templates/e2e/bad-resource.yaml index 4f903f66..ac27f808 100644 --- a/charts/best-practices-workload-security/templates/e2e/bad-podcontrollers.yaml +++ b/charts/best-practices-workload-security/templates/e2e/bad-resource.yaml @@ -1,3 +1,43 @@ +apiVersion: v1 +kind: Pod +metadata: + name: badpod02-registry +spec: + containers: + - name: k8s-nginx + image: registry.k8s.io/nginx:1.7.9 + - name: busybox + image: bar.io/busybox +--- +apiVersion: v1 +kind: Pod +metadata: + name: badpod03-registry +spec: + containers: + - name: busybox + image: eu.foo.io/busybox + - name: k8s-nginx + image: registry.k8s.io/nginx:1.7.9 +--- +apiVersion: v1 +kind: Pod +metadata: + name: badpod04-registry +spec: + containers: + - name: k8s-nginx + image: nginx +--- +apiVersion: v1 +kind: Pod +metadata: + name: badpod01-registry +spec: + containers: + - name: k8s-nginx + image: registry.k8s.io/nginx:1.7.9 +--- apiVersion: apps/v1 kind: Deployment metadata: diff --git a/charts/best-practices-workload-security/templates/e2e/chainsaw-test.yaml b/charts/best-practices-workload-security/templates/e2e/chainsaw-test.yaml new file mode 100644 index 00000000..3a2e09f5 --- /dev/null +++ b/charts/best-practices-workload-security/templates/e2e/chainsaw-test.yaml @@ -0,0 +1,32 @@ +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: Test +metadata: + name: restrict-image-registries-policy +spec: + steps: + - name: test-restrict-image-registries + try: + - apply: + file: ../../pols/restrict_image_registries.yaml + - assert: + file: policy-assert.yaml + - delete: + ref: + apiVersion: kyverno.io/v1 + kind: ClusterPolicy + name: restrict-image-registries + - script: + content: | + sed 's/validationFailureAction: Audit/validationFailureAction: Enforce/' ../../pols/restrict_image_registries.yaml | kubectl apply -f - + - assert: + file: enforce-policy-assert.yaml + - apply: + file: good-resource.yaml + - script: + content: | + if kubectl debug -it goodpod02-registry --image=busybox:1.35 --target=k8s-nginx -n ir-pods-namespace; then exit 1; else exit 0; fi; + - apply: + expect: + - check: + ($error != null): true + file: bad-resource.yaml diff --git a/best-practices/require_labels/e2e/03-enforce-policy-assert.yaml b/charts/best-practices-workload-security/templates/e2e/enforce-policy-assert.yaml similarity index 83% rename from best-practices/require_labels/e2e/03-enforce-policy-assert.yaml rename to charts/best-practices-workload-security/templates/e2e/enforce-policy-assert.yaml index de756e51..9fcea917 100644 --- a/best-practices/require_labels/e2e/03-enforce-policy-assert.yaml +++ b/charts/best-practices-workload-security/templates/e2e/enforce-policy-assert.yaml @@ -1,7 +1,7 @@ apiVersion: kyverno.io/v1 kind: ClusterPolicy metadata: - name: require-labels + name: restrict-image-registries spec: validationFailureAction: Enforce status: diff --git a/charts/best-practices-workload-security/templates/e2e/good-pods.yaml b/charts/best-practices-workload-security/templates/e2e/good-pods.yaml deleted file mode 100644 index ecca6ff7..00000000 --- a/charts/best-practices-workload-security/templates/e2e/good-pods.yaml +++ /dev/null @@ -1,34 +0,0 @@ -apiVersion: v1 -kind: Namespace -metadata: - name: ir-pods-namespace ---- -apiVersion: v1 -kind: Pod -metadata: - name: goodpod01-registry - namespace: ir-pods-namespace -spec: - initContainers: - - name: k8s-nginx-init - image: bar.io/nginx - containers: - - name: k8s-nginx - image: eu.foo.io/nginx ---- -apiVersion: v1 -kind: Pod -metadata: - name: goodpod02-registry - namespace: ir-pods-namespace -spec: - initContainers: - - name: nginx-init - image: bar.io/nginx - - name: busybox-init - image: eu.foo.io/busybox - containers: - - name: k8s-nginx - image: bar.io/nginx - - name: busybox - image: eu.foo.io/busybox diff --git a/charts/best-practices-workload-security/templates/e2e/good-podcontrollers.yaml b/charts/best-practices-workload-security/templates/e2e/good-resource.yaml similarity index 62% rename from charts/best-practices-workload-security/templates/e2e/good-podcontrollers.yaml rename to charts/best-practices-workload-security/templates/e2e/good-resource.yaml index 87dc9dcc..4f04eeec 100644 --- a/charts/best-practices-workload-security/templates/e2e/good-podcontrollers.yaml +++ b/charts/best-practices-workload-security/templates/e2e/good-resource.yaml @@ -1,3 +1,8 @@ +apiVersion: v1 +kind: Namespace +metadata: + name: ir-pods-namespace +--- apiVersion: apps/v1 kind: Deployment metadata: @@ -46,3 +51,33 @@ spec: image: eu.foo.io/nginx - name: k8s-nginx image: bar.io/nginx +--- +apiVersion: v1 +kind: Pod +metadata: + name: goodpod01-registry + namespace: ir-pods-namespace +spec: + initContainers: + - name: k8s-nginx-init + image: bar.io/nginx + containers: + - name: k8s-nginx + image: eu.foo.io/nginx +--- +apiVersion: v1 +kind: Pod +metadata: + name: goodpod02-registry + namespace: ir-pods-namespace +spec: + initContainers: + - name: nginx-init + image: bar.io/nginx + - name: busybox-init + image: eu.foo.io/busybox + containers: + - name: k8s-nginx + image: bar.io/nginx + - name: busybox + image: eu.foo.io/busybox diff --git a/charts/best-practices-workload-security/templates/e2e/policy-assert.yaml b/charts/best-practices-workload-security/templates/e2e/policy-assert.yaml index ee109212..38b7d373 100644 --- a/charts/best-practices-workload-security/templates/e2e/policy-assert.yaml +++ b/charts/best-practices-workload-security/templates/e2e/policy-assert.yaml @@ -3,7 +3,7 @@ kind: ClusterPolicy metadata: name: restrict-image-registries spec: - validationFailureAction: audit + validationFailureAction: Audit status: conditions: - reason: Succeeded diff --git a/kuttl-test.yaml b/kuttl-test.yaml deleted file mode 100644 index da371537..00000000 --- a/kuttl-test.yaml +++ /dev/null @@ -1,8 +0,0 @@ -apiVersion: kuttl.dev/v1beta1 -kind: TestSuite -testDirs: -- best-practices -startKIND: false -timeout: 90 -parallel: 1 -fullName: true diff --git a/pod-security/baseline/disallow-capabilities/e2e/bad-resource.yaml b/pod-security/baseline/disallow-capabilities/e2e/bad-resource.yaml new file mode 100644 index 00000000..63d8a5c0 --- /dev/null +++ b/pod-security/baseline/disallow-capabilities/e2e/bad-resource.yaml @@ -0,0 +1,417 @@ +###### Pods - Bad +--- +apiVersion: v1 +kind: Pod +metadata: + name: badpod01 +spec: + containers: + - name: container01 + image: nginx + securityContext: + capabilities: + add: + - NET_RAW +--- +apiVersion: v1 +kind: Pod +metadata: + name: badpod02 +spec: + containers: + - name: container01 + image: nginx + securityContext: + capabilities: + add: + - NET_RAW + - SETGID +--- +apiVersion: v1 +kind: Pod +metadata: + name: badpod03 +spec: + containers: + - name: container01 + image: nginx + securityContext: + capabilities: + add: + - NET_RAW + - name: container02 + image: nginx + securityContext: + capabilities: + add: + - SETGID +--- +apiVersion: v1 +kind: Pod +metadata: + name: badpod04 +spec: + initContainers: + - name: initcontainer01 + image: nginx + securityContext: + capabilities: + add: + - NET_RAW + containers: + - name: container01 + image: nginx + securityContext: + capabilities: + add: + - SETGID +--- +apiVersion: v1 +kind: Pod +metadata: + name: badpod05 +spec: + initContainers: + - name: initcontainer01 + image: nginx + - name: initcontainer02 + image: nginx + securityContext: + capabilities: + add: + - NET_RAW + containers: + - name: container01 + image: nginx + securityContext: + capabilities: + add: + - SETGID +--- +apiVersion: v1 +kind: Pod +metadata: + name: badpod06 +spec: + initContainers: + - name: initcontainer01 + image: nginx + securityContext: + capabilities: + add: + - NET_RAW + containers: + - name: container01 + image: nginx + securityContext: + capabilities: + add: + - SYS_ADMIN +--- +###### Deployments - Bad +apiVersion: apps/v1 +kind: Deployment +metadata: + name: baddeployment01 +spec: + replicas: 1 + selector: + matchLabels: + app: app + template: + metadata: + labels: + app: app + spec: + containers: + - name: container01 + image: nginx + securityContext: + capabilities: + add: + - NET_RAW +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: baddeployment02 +spec: + replicas: 1 + selector: + matchLabels: + app: app + template: + metadata: + labels: + app: app + spec: + containers: + - name: container01 + image: nginx + securityContext: + capabilities: + add: + - NET_RAW + - SETGID +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: baddeployment03 +spec: + replicas: 1 + selector: + matchLabels: + app: app + template: + metadata: + labels: + app: app + spec: + containers: + - name: container01 + image: nginx + securityContext: + capabilities: + add: + - NET_RAW + - name: container02 + image: nginx + securityContext: + capabilities: + add: + - SETGID +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: baddeployment04 +spec: + replicas: 1 + selector: + matchLabels: + app: app + template: + metadata: + labels: + app: app + spec: + initContainers: + - name: initcontainer01 + image: nginx + securityContext: + capabilities: + add: + - NET_RAW + containers: + - name: container01 + image: nginx + securityContext: + capabilities: + add: + - SETGID +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: baddeployment05 +spec: + replicas: 1 + selector: + matchLabels: + app: app + template: + metadata: + labels: + app: app + spec: + initContainers: + - name: initcontainer01 + image: nginx + - name: initcontainer02 + image: nginx + securityContext: + capabilities: + add: + - NET_RAW + containers: + - name: container01 + image: nginx + securityContext: + capabilities: + add: + - SETGID +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: baddeployment06 +spec: + replicas: 1 + selector: + matchLabels: + app: app + template: + metadata: + labels: + app: app + spec: + initContainers: + - name: initcontainer01 + image: nginx + securityContext: + capabilities: + add: + - NET_RAW + containers: + - name: container01 + image: nginx + securityContext: + capabilities: + add: + - SYS_ADMIN +--- +###### CronJobs - Bad +apiVersion: batch/v1 +kind: CronJob +metadata: + name: badcronjob01 +spec: + schedule: "*/1 * * * *" + jobTemplate: + spec: + template: + spec: + restartPolicy: OnFailure + containers: + - name: container01 + image: nginx + securityContext: + capabilities: + add: + - NET_RAW +--- +apiVersion: batch/v1 +kind: CronJob +metadata: + name: badcronjob02 +spec: + schedule: "*/1 * * * *" + jobTemplate: + spec: + template: + spec: + restartPolicy: OnFailure + containers: + - name: container01 + image: nginx + securityContext: + capabilities: + add: + - NET_RAW + - SETGID +--- +apiVersion: batch/v1 +kind: CronJob +metadata: + name: badcronjob03 +spec: + schedule: "*/1 * * * *" + jobTemplate: + spec: + template: + spec: + restartPolicy: OnFailure + containers: + - name: container01 + image: nginx + securityContext: + capabilities: + add: + - NET_RAW + - name: container02 + image: nginx + securityContext: + capabilities: + add: + - SETGID +--- +apiVersion: batch/v1 +kind: CronJob +metadata: + name: badcronjob04 +spec: + schedule: "*/1 * * * *" + jobTemplate: + spec: + template: + spec: + restartPolicy: OnFailure + initContainers: + - name: initcontainer01 + image: nginx + securityContext: + capabilities: + add: + - NET_RAW + containers: + - name: container01 + image: nginx + securityContext: + capabilities: + add: + - SETGID +--- +apiVersion: batch/v1 +kind: CronJob +metadata: + name: badcronjob05 +spec: + schedule: "*/1 * * * *" + jobTemplate: + spec: + template: + spec: + restartPolicy: OnFailure + initContainers: + - name: initcontainer01 + image: nginx + - name: initcontainer02 + image: nginx + securityContext: + capabilities: + add: + - NET_RAW + containers: + - name: container01 + image: nginx + securityContext: + capabilities: + add: + - SETGID +--- +apiVersion: batch/v1 +kind: CronJob +metadata: + name: badcronjob06 +spec: + schedule: "*/1 * * * *" + jobTemplate: + spec: + template: + spec: + restartPolicy: OnFailure + initContainers: + - name: initcontainer01 + image: nginx + securityContext: + capabilities: + add: + - NET_RAW + containers: + - name: container01 + image: nginx + securityContext: + capabilities: + add: + - SYS_ADMIN diff --git a/pod-security/baseline/disallow-capabilities/e2e/chainsaw-test.yaml b/pod-security/baseline/disallow-capabilities/e2e/chainsaw-test.yaml new file mode 100644 index 00000000..1d083cf6 --- /dev/null +++ b/pod-security/baseline/disallow-capabilities/e2e/chainsaw-test.yaml @@ -0,0 +1,24 @@ +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: Test +metadata: + name: disallow-capabilities-policy +spec: + steps: + - name: test-disallow-capabilities + try: + - apply: + file: ../disallow-capabilities.yaml + - assert: + file: policy-assert.yaml + - script: + content: | + sed 's/validationFailureAction: Audit/validationFailureAction: Enforce/' ../disallow-capabilities.yaml | kubectl apply -f - + - assert: + file: enforce-policy-assert.yaml + - apply: + file: good-resource.yaml + - apply: + expect: + - check: + ($error != null): true + file: bad-resource.yaml diff --git a/best-practices/disallow_latest_tag/e2e/03-enforce-policy-assert.yaml b/pod-security/baseline/disallow-capabilities/e2e/enforce-policy-assert.yaml similarity index 78% rename from best-practices/disallow_latest_tag/e2e/03-enforce-policy-assert.yaml rename to pod-security/baseline/disallow-capabilities/e2e/enforce-policy-assert.yaml index 263110a4..0ed21cfe 100644 --- a/best-practices/disallow_latest_tag/e2e/03-enforce-policy-assert.yaml +++ b/pod-security/baseline/disallow-capabilities/e2e/enforce-policy-assert.yaml @@ -1,11 +1,11 @@ apiVersion: kyverno.io/v1 kind: ClusterPolicy metadata: - name: disallow-latest-tag + name: disallow-capabilities spec: validationFailureAction: Enforce status: conditions: - reason: Succeeded status: "True" - type: Ready + type: Ready \ No newline at end of file diff --git a/pod-security/baseline/disallow-capabilities/e2e/good-resource.yaml b/pod-security/baseline/disallow-capabilities/e2e/good-resource.yaml new file mode 100644 index 00000000..a1b79b5c --- /dev/null +++ b/pod-security/baseline/disallow-capabilities/e2e/good-resource.yaml @@ -0,0 +1,359 @@ +###### Pods - Good +apiVersion: v1 +kind: Pod +metadata: + name: goodpod01 +spec: + containers: + - name: container01 + image: nginx +--- +apiVersion: v1 +kind: Pod +metadata: + name: goodpod02 +spec: + containers: + - name: container01 + image: nginx + securityContext: + capabilities: + add: + - SETGID +--- +apiVersion: v1 +kind: Pod +metadata: + name: goodpod03 +spec: + containers: + - name: container01 + image: nginx + securityContext: + capabilities: + add: + - DAC_OVERRIDE + - name: container02 + image: nginx + securityContext: + capabilities: + add: + - SETGID +--- +apiVersion: v1 +kind: Pod +metadata: + name: goodpod04 +spec: + initContainers: + - name: initcontainer01 + image: nginx + containers: + - name: container01 + image: nginx +--- +apiVersion: v1 +kind: Pod +metadata: + name: goodpod05 +spec: + initContainers: + - name: initcontainer01 + image: nginx + securityContext: + capabilities: + add: + - DAC_OVERRIDE + containers: + - name: container01 + image: nginx +--- +apiVersion: v1 +kind: Pod +metadata: + name: goodpod06 +spec: + initContainers: + - name: initcontainer01 + image: nginx + securityContext: + capabilities: + add: + - DAC_OVERRIDE + containers: + - name: container01 + image: nginx + securityContext: + capabilities: + add: + - SETGID +--- +###### Deployments - Good +apiVersion: apps/v1 +kind: Deployment +metadata: + name: gooddeployment01 +spec: + replicas: 1 + selector: + matchLabels: + app: app + template: + metadata: + labels: + app: app + spec: + containers: + - name: container01 + image: nginx +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: gooddeployment02 +spec: + replicas: 1 + selector: + matchLabels: + app: app + template: + metadata: + labels: + app: app + spec: + containers: + - name: container01 + image: nginx + securityContext: + capabilities: + add: + - SETGID +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: gooddeployment03 +spec: + replicas: 1 + selector: + matchLabels: + app: app + template: + metadata: + labels: + app: app + spec: + containers: + - name: container01 + image: nginx + securityContext: + capabilities: + add: + - DAC_OVERRIDE + - name: container02 + image: nginx + securityContext: + capabilities: + add: + - SETGID +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: gooddeployment04 +spec: + replicas: 1 + selector: + matchLabels: + app: app + template: + metadata: + labels: + app: app + spec: + initContainers: + - name: initcontainer01 + image: nginx + containers: + - name: container01 + image: nginx +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: gooddeployment05 +spec: + replicas: 1 + selector: + matchLabels: + app: app + template: + metadata: + labels: + app: app + spec: + initContainers: + - name: initcontainer01 + image: nginx + securityContext: + capabilities: + add: + - DAC_OVERRIDE + containers: + - name: container01 + image: nginx +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: gooddeployment06 +spec: + replicas: 1 + selector: + matchLabels: + app: app + template: + metadata: + labels: + app: app + spec: + initContainers: + - name: initcontainer01 + image: nginx + securityContext: + capabilities: + add: + - DAC_OVERRIDE + containers: + - name: container01 + image: nginx + securityContext: + capabilities: + add: + - SETGID +--- +###### CronJobs - Good +apiVersion: batch/v1 +kind: CronJob +metadata: + name: goodcronjob01 +spec: + schedule: "*/1 * * * *" + jobTemplate: + spec: + template: + spec: + restartPolicy: OnFailure + containers: + - name: container01 + image: nginx +--- +apiVersion: batch/v1 +kind: CronJob +metadata: + name: goodcronjob02 +spec: + schedule: "*/1 * * * *" + jobTemplate: + spec: + template: + spec: + restartPolicy: OnFailure + containers: + - name: container01 + image: nginx + securityContext: + capabilities: + add: + - SETGID +--- +apiVersion: batch/v1 +kind: CronJob +metadata: + name: goodcronjob03 +spec: + schedule: "*/1 * * * *" + jobTemplate: + spec: + template: + spec: + restartPolicy: OnFailure + containers: + - name: container01 + image: nginx + securityContext: + capabilities: + add: + - DAC_OVERRIDE + - name: container02 + image: nginx + securityContext: + capabilities: + add: + - SETGID +--- +apiVersion: batch/v1 +kind: CronJob +metadata: + name: goodcronjob04 +spec: + schedule: "*/1 * * * *" + jobTemplate: + spec: + template: + spec: + restartPolicy: OnFailure + initContainers: + - name: initcontainer01 + image: nginx + containers: + - name: container01 + image: nginx +--- +apiVersion: batch/v1 +kind: CronJob +metadata: + name: goodcronjob05 +spec: + schedule: "*/1 * * * *" + jobTemplate: + spec: + template: + spec: + restartPolicy: OnFailure + initContainers: + - name: initcontainer01 + image: nginx + securityContext: + capabilities: + add: + - DAC_OVERRIDE + containers: + - name: container01 + image: nginx +--- +apiVersion: batch/v1 +kind: CronJob +metadata: + name: goodcronjob06 +spec: + schedule: "*/1 * * * *" + jobTemplate: + spec: + template: + spec: + restartPolicy: OnFailure + initContainers: + - name: initcontainer01 + image: nginx + securityContext: + capabilities: + add: + - DAC_OVERRIDE + containers: + - name: container01 + image: nginx + securityContext: + capabilities: + add: + - SETGID diff --git a/best-practices/require_drop_all/e2e/policy-assert.yaml b/pod-security/baseline/disallow-capabilities/e2e/policy-assert.yaml similarity index 85% rename from best-practices/require_drop_all/e2e/policy-assert.yaml rename to pod-security/baseline/disallow-capabilities/e2e/policy-assert.yaml index 3372893f..a874e15a 100644 --- a/best-practices/require_drop_all/e2e/policy-assert.yaml +++ b/pod-security/baseline/disallow-capabilities/e2e/policy-assert.yaml @@ -1,7 +1,7 @@ apiVersion: kyverno.io/v1 kind: ClusterPolicy metadata: - name: drop-all-capabilities + name: disallow-capabilities spec: validationFailureAction: Audit status: diff --git a/pod-security/baseline/disallow-host-namespaces/e2e/bad-resource.yaml b/pod-security/baseline/disallow-host-namespaces/e2e/bad-resource.yaml new file mode 100644 index 00000000..6ee5d7d8 --- /dev/null +++ b/pod-security/baseline/disallow-host-namespaces/e2e/bad-resource.yaml @@ -0,0 +1,189 @@ +###### Pods - Bad +--- +apiVersion: v1 +kind: Pod +metadata: + name: badpod01 +spec: + hostPID: true + containers: + - name: container01 + image: nginx +--- +apiVersion: v1 +kind: Pod +metadata: + name: badpod02 +spec: + hostIPC: true + containers: + - name: container01 + image: nginx +--- +apiVersion: v1 +kind: Pod +metadata: + name: badpod03 +spec: + hostNetwork: true + containers: + - name: container01 + image: nginx +--- +apiVersion: v1 +kind: Pod +metadata: + name: badpod04 +spec: + hostPID: true + hostIPC: true + hostNetwork: true + containers: + - name: container01 + image: nginx +--- +###### Deployments - Bad +apiVersion: apps/v1 +kind: Deployment +metadata: + name: baddeployment01 +spec: + replicas: 1 + selector: + matchLabels: + app: app + template: + metadata: + labels: + app: app + spec: + hostPID: true + containers: + - name: container01 + image: nginx +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: baddeployment02 +spec: + replicas: 1 + selector: + matchLabels: + app: app + template: + metadata: + labels: + app: app + spec: + hostIPC: true + containers: + - name: container01 + image: nginx +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: baddeployment03 +spec: + replicas: 1 + selector: + matchLabels: + app: app + template: + metadata: + labels: + app: app + spec: + hostNetwork: true + containers: + - name: container01 + image: nginx +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: baddeployment04 +spec: + replicas: 1 + selector: + matchLabels: + app: app + template: + metadata: + labels: + app: app + spec: + hostPID: true + hostIPC: true + hostNetwork: true + containers: + - name: container01 + image: nginx +--- +###### CronJobs - Bad +apiVersion: batch/v1 +kind: CronJob +metadata: + name: badcronjob01 +spec: + schedule: "*/1 * * * *" + jobTemplate: + spec: + template: + spec: + restartPolicy: OnFailure + hostPID: true + containers: + - name: container01 + image: nginx +--- +apiVersion: batch/v1 +kind: CronJob +metadata: + name: badcronjob02 +spec: + schedule: "*/1 * * * *" + jobTemplate: + spec: + template: + spec: + restartPolicy: OnFailure + hostIPC: true + containers: + - name: container01 + image: nginx +--- +apiVersion: batch/v1 +kind: CronJob +metadata: + name: badcronjob03 +spec: + schedule: "*/1 * * * *" + jobTemplate: + spec: + template: + spec: + restartPolicy: OnFailure + hostNetwork: true + containers: + - name: container01 + image: nginx +--- +apiVersion: batch/v1 +kind: CronJob +metadata: + name: badcronjob04 +spec: + schedule: "*/1 * * * *" + jobTemplate: + spec: + template: + spec: + restartPolicy: OnFailure + hostPID: true + hostIPC: true + hostNetwork: true + containers: + - name: container01 + image: nginx diff --git a/pod-security/baseline/disallow-host-namespaces/e2e/chainsaw-test.yaml b/pod-security/baseline/disallow-host-namespaces/e2e/chainsaw-test.yaml new file mode 100644 index 00000000..dffecafe --- /dev/null +++ b/pod-security/baseline/disallow-host-namespaces/e2e/chainsaw-test.yaml @@ -0,0 +1,44 @@ +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: Test +metadata: + name: disallow-host-namespaces-policy +spec: + steps: + - name: test-disallow-host-namespaces + try: + - apply: + file: ../disallow-host-namespaces.yaml + - assert: + file: policy-assert.yaml + - apply: + file: ../remediate-disallow-host-namespaces.yaml + - assert: + file: remediation-policy-assert.yaml + - apply: + file: ../deployment.yaml + - sleep: + duration: 20s + - assert: + resource: + apiVersion: wgpolicyk8s.io/v1alpha2 + kind: PolicyReport + summary: + error: 0 + fail: 0 + - delete: + ref: + apiVersion: kyverno.io/v1 + kind: ClusterPolicy + name: remediate-disallow-host-namespaces + - script: + content: | + sed 's/validationFailureAction: Audit/validationFailureAction: Enforce/' ../disallow-host-namespaces.yaml | kubectl apply -f - + - assert: + file: enforce-policy-assert.yaml + - apply: + file: good-resource.yaml + - apply: + expect: + - check: + ($error != null): true + file: bad-resource.yaml diff --git a/pod-security/baseline/disallow-host-namespaces/e2e/enforce-policy-assert.yaml b/pod-security/baseline/disallow-host-namespaces/e2e/enforce-policy-assert.yaml new file mode 100644 index 00000000..a74a9c17 --- /dev/null +++ b/pod-security/baseline/disallow-host-namespaces/e2e/enforce-policy-assert.yaml @@ -0,0 +1,11 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: disallow-host-namespaces +spec: + validationFailureAction: Enforce +status: + conditions: + - reason: Succeeded + status: "True" + type: Ready \ No newline at end of file diff --git a/pod-security/baseline/disallow-host-namespaces/e2e/good-resource.yaml b/pod-security/baseline/disallow-host-namespaces/e2e/good-resource.yaml new file mode 100644 index 00000000..cf9d9ff7 --- /dev/null +++ b/pod-security/baseline/disallow-host-namespaces/e2e/good-resource.yaml @@ -0,0 +1,230 @@ +###### Pods - Good +apiVersion: v1 +kind: Pod +metadata: + name: goodpod01 +spec: + containers: + - name: container01 + image: nginx +--- +apiVersion: v1 +kind: Pod +metadata: + name: goodpod02 +spec: + hostPID: false + containers: + - name: container01 + image: nginx +--- +apiVersion: v1 +kind: Pod +metadata: + name: goodpod03 +spec: + hostIPC: false + containers: + - name: container01 + image: nginx +--- +apiVersion: v1 +kind: Pod +metadata: + name: goodpod04 +spec: + hostNetwork: false + containers: + - name: container01 + image: nginx +--- +apiVersion: v1 +kind: Pod +metadata: + name: goodpod05 +spec: + hostPID: false + hostIPC: false + hostNetwork: false + containers: + - name: container01 + image: nginx +--- +###### Deployments - Good +apiVersion: apps/v1 +kind: Deployment +metadata: + name: gooddeployment01 +spec: + replicas: 1 + selector: + matchLabels: + app: app + template: + metadata: + labels: + app: app + spec: + containers: + - name: container01 + image: nginx +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: gooddeployment02 +spec: + replicas: 1 + selector: + matchLabels: + app: app + template: + metadata: + labels: + app: app + spec: + hostPID: false + containers: + - name: container01 + image: nginx +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: gooddeployment03 +spec: + replicas: 1 + selector: + matchLabels: + app: app + template: + metadata: + labels: + app: app + spec: + hostIPC: false + containers: + - name: container01 + image: nginx +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: gooddeployment04 +spec: + replicas: 1 + selector: + matchLabels: + app: app + template: + metadata: + labels: + app: app + spec: + hostNetwork: false + containers: + - name: container01 + image: nginx +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: gooddeployment05 +spec: + replicas: 1 + selector: + matchLabels: + app: app + template: + metadata: + labels: + app: app + spec: + hostPID: false + hostIPC: false + hostNetwork: false + containers: + - name: container01 + image: nginx +--- +###### CronJobs - Good +apiVersion: batch/v1 +kind: CronJob +metadata: + name: goodcronjob01 +spec: + schedule: "*/1 * * * *" + jobTemplate: + spec: + template: + spec: + restartPolicy: OnFailure + containers: + - name: container01 + image: nginx +--- +apiVersion: batch/v1 +kind: CronJob +metadata: + name: goodcronjob02 +spec: + schedule: "*/1 * * * *" + jobTemplate: + spec: + template: + spec: + restartPolicy: OnFailure + hostPID: false + containers: + - name: container01 + image: nginx +--- +apiVersion: batch/v1 +kind: CronJob +metadata: + name: goodcronjob03 +spec: + schedule: "*/1 * * * *" + jobTemplate: + spec: + template: + spec: + restartPolicy: OnFailure + hostIPC: false + containers: + - name: container01 + image: nginx +--- +apiVersion: batch/v1 +kind: CronJob +metadata: + name: goodcronjob04 +spec: + schedule: "*/1 * * * *" + jobTemplate: + spec: + template: + spec: + restartPolicy: OnFailure + hostNetwork: false + containers: + - name: container01 + image: nginx +--- +apiVersion: batch/v1 +kind: CronJob +metadata: + name: goodcronjob05 +spec: + schedule: "*/1 * * * *" + jobTemplate: + spec: + template: + spec: + restartPolicy: OnFailure + hostPID: false + hostIPC: false + hostNetwork: false + containers: + - name: container01 + image: nginx diff --git a/pod-security/baseline/disallow-host-namespaces/e2e/policy-assert.yaml b/pod-security/baseline/disallow-host-namespaces/e2e/policy-assert.yaml new file mode 100644 index 00000000..c04bbaef --- /dev/null +++ b/pod-security/baseline/disallow-host-namespaces/e2e/policy-assert.yaml @@ -0,0 +1,11 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: disallow-host-namespaces +spec: + validationFailureAction: Audit +status: + conditions: + - reason: Succeeded + status: "True" + type: Ready diff --git a/pod-security/baseline/disallow-host-namespaces/e2e/remediation-policy-assert.yaml b/pod-security/baseline/disallow-host-namespaces/e2e/remediation-policy-assert.yaml new file mode 100644 index 00000000..9f847950 --- /dev/null +++ b/pod-security/baseline/disallow-host-namespaces/e2e/remediation-policy-assert.yaml @@ -0,0 +1,11 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: remediate-disallow-host-namespaces +spec: + validationFailureAction: Audit +status: + conditions: + - reason: Succeeded + status: "True" + type: Ready diff --git a/pod-security/baseline/disallow-host-path/e2e/bad-resource.yaml b/pod-security/baseline/disallow-host-path/e2e/bad-resource.yaml new file mode 100644 index 00000000..75fb19f7 --- /dev/null +++ b/pod-security/baseline/disallow-host-path/e2e/bad-resource.yaml @@ -0,0 +1,141 @@ +###### Pods - Bad +--- +apiVersion: v1 +kind: Pod +metadata: + name: badpod01 +spec: + containers: + - name: container01 + image: nginx + volumeMounts: + - name: udev + mountPath: /data + volumes: + - name: udev + hostPath: + path: /etc/udev +--- +apiVersion: v1 +kind: Pod +metadata: + name: badpod02 +spec: + containers: + - name: container01 + image: nginx + volumeMounts: + - name: udev + mountPath: /data + - name: temp + mountPath: /scratch + volumes: + - name: temp + emptyDir: {} + - name: udev + hostPath: + path: /etc/udev +--- +###### Deployments - Bad +apiVersion: apps/v1 +kind: Deployment +metadata: + name: baddeployment01 +spec: + replicas: 1 + selector: + matchLabels: + app: app + template: + metadata: + labels: + app: app + spec: + containers: + - name: container01 + image: nginx + volumeMounts: + - name: udev + mountPath: /data + volumes: + - name: udev + hostPath: + path: /etc/udev +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: baddeployment02 +spec: + replicas: 1 + selector: + matchLabels: + app: app + template: + metadata: + labels: + app: app + spec: + containers: + - name: container01 + image: nginx + volumeMounts: + - name: udev + mountPath: /data + - name: temp + mountPath: /scratch + volumes: + - name: temp + emptyDir: {} + - name: udev + hostPath: + path: /etc/udev +--- +###### CronJobs - Bad +apiVersion: batch/v1 +kind: CronJob +metadata: + name: badcronjob01 +spec: + schedule: "*/1 * * * *" + jobTemplate: + spec: + template: + spec: + restartPolicy: OnFailure + containers: + - name: container01 + image: nginx + volumeMounts: + - name: udev + mountPath: /data + volumes: + - name: udev + hostPath: + path: /etc/udev +--- +apiVersion: batch/v1 +kind: CronJob +metadata: + name: badcronjob02 +spec: + schedule: "*/1 * * * *" + jobTemplate: + spec: + template: + spec: + restartPolicy: OnFailure + containers: + - name: container01 + image: nginx + volumeMounts: + - name: udev + mountPath: /data + - name: temp + mountPath: /scratch + volumes: + - name: temp + emptyDir: {} + - name: udev + hostPath: + path: /etc/udev diff --git a/pod-security/baseline/disallow-host-path/e2e/chainsaw-test.yaml b/pod-security/baseline/disallow-host-path/e2e/chainsaw-test.yaml new file mode 100644 index 00000000..09b250f7 --- /dev/null +++ b/pod-security/baseline/disallow-host-path/e2e/chainsaw-test.yaml @@ -0,0 +1,44 @@ +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: Test +metadata: + name: disallow-host-path-policy +spec: + steps: + - name: test-disallow-host-path + try: + - apply: + file: ../disallow-host-path.yaml + - assert: + file: policy-assert.yaml + - apply: + file: ../remediate-disallow-host-path.yaml + - assert: + file: remediation-policy-assert.yaml + - apply: + file: ../deployment.yaml + - sleep: + duration: 20s + - assert: + resource: + apiVersion: wgpolicyk8s.io/v1alpha2 + kind: PolicyReport + summary: + error: 0 + fail: 0 + - delete: + ref: + apiVersion: kyverno.io/v1 + kind: ClusterPolicy + name: remediate-disallow-host-path + - script: + content: | + sed 's/validationFailureAction: Audit/validationFailureAction: Enforce/' ../disallow-host-path.yaml | kubectl apply -f - + - assert: + file: enforce-policy-assert.yaml + - apply: + file: good-resource.yaml + - apply: + expect: + - check: + ($error != null): true + file: bad-resource.yaml diff --git a/best-practices/require_ro_rootfs/e2e/03-enforce-policy-assert.yaml b/pod-security/baseline/disallow-host-path/e2e/enforce-policy-assert.yaml similarity index 79% rename from best-practices/require_ro_rootfs/e2e/03-enforce-policy-assert.yaml rename to pod-security/baseline/disallow-host-path/e2e/enforce-policy-assert.yaml index 76939a3d..7c6b6fc5 100644 --- a/best-practices/require_ro_rootfs/e2e/03-enforce-policy-assert.yaml +++ b/pod-security/baseline/disallow-host-path/e2e/enforce-policy-assert.yaml @@ -1,11 +1,11 @@ apiVersion: kyverno.io/v1 kind: ClusterPolicy metadata: - name: require-ro-rootfs + name: disallow-host-path spec: validationFailureAction: Enforce status: conditions: - reason: Succeeded status: "True" - type: Ready + type: Ready \ No newline at end of file diff --git a/pod-security/baseline/disallow-host-path/e2e/good-resource.yaml b/pod-security/baseline/disallow-host-path/e2e/good-resource.yaml new file mode 100644 index 00000000..4696f979 --- /dev/null +++ b/pod-security/baseline/disallow-host-path/e2e/good-resource.yaml @@ -0,0 +1,104 @@ +###### Pods - Good +apiVersion: v1 +kind: Pod +metadata: + name: goodpod01 +spec: + containers: + - name: container01 + image: nginx +--- +apiVersion: v1 +kind: Pod +metadata: + name: goodpod02 +spec: + containers: + - name: container01 + image: nginx + volumeMounts: + - name: temp + mountPath: /scratch + volumes: + - name: temp + emptyDir: {} +--- +###### Deployments - Good +apiVersion: apps/v1 +kind: Deployment +metadata: + name: gooddeployment01 +spec: + replicas: 1 + selector: + matchLabels: + app: app + template: + metadata: + labels: + app: app + spec: + containers: + - name: container01 + image: nginx +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: gooddeployment02 +spec: + replicas: 1 + selector: + matchLabels: + app: app + template: + metadata: + labels: + app: app + spec: + containers: + - name: container01 + image: nginx + volumeMounts: + - name: temp + mountPath: /scratch + volumes: + - name: temp + emptyDir: {} +--- +###### CronJobs - Good +apiVersion: batch/v1 +kind: CronJob +metadata: + name: goodcronjob01 +spec: + schedule: "*/1 * * * *" + jobTemplate: + spec: + template: + spec: + restartPolicy: OnFailure + containers: + - name: container01 + image: nginx +--- +apiVersion: batch/v1 +kind: CronJob +metadata: + name: goodcronjob02 +spec: + schedule: "*/1 * * * *" + jobTemplate: + spec: + template: + spec: + restartPolicy: OnFailure + containers: + - name: container01 + image: nginx + volumeMounts: + - name: temp + mountPath: /scratch + volumes: + - name: temp + emptyDir: {} diff --git a/best-practices/require_probes/e2e/policy-assert.yaml b/pod-security/baseline/disallow-host-path/e2e/policy-assert.yaml similarity index 86% rename from best-practices/require_probes/e2e/policy-assert.yaml rename to pod-security/baseline/disallow-host-path/e2e/policy-assert.yaml index 6f2f2e50..1dcd90ba 100644 --- a/best-practices/require_probes/e2e/policy-assert.yaml +++ b/pod-security/baseline/disallow-host-path/e2e/policy-assert.yaml @@ -1,7 +1,7 @@ apiVersion: kyverno.io/v1 kind: ClusterPolicy metadata: - name: require-pod-probes + name: disallow-host-path spec: validationFailureAction: Audit status: diff --git a/pod-security/baseline/disallow-host-path/e2e/remediation-policy-assert.yaml b/pod-security/baseline/disallow-host-path/e2e/remediation-policy-assert.yaml new file mode 100644 index 00000000..b6003712 --- /dev/null +++ b/pod-security/baseline/disallow-host-path/e2e/remediation-policy-assert.yaml @@ -0,0 +1,11 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: remediate-disallow-host-path +spec: + validationFailureAction: Audit +status: + conditions: + - reason: Succeeded + status: "True" + type: Ready diff --git a/pod-security/baseline/disallow-host-ports/e2e/bad-resource.yaml b/pod-security/baseline/disallow-host-ports/e2e/bad-resource.yaml new file mode 100644 index 00000000..0160c967 --- /dev/null +++ b/pod-security/baseline/disallow-host-ports/e2e/bad-resource.yaml @@ -0,0 +1,720 @@ +###### Pods - Bad +--- +apiVersion: v1 +kind: Pod +metadata: + name: badpod01 +spec: + containers: + - name: container01 + image: nginx + ports: + - name: dns + containerPort: 5553 + hostPort: 53 +--- +apiVersion: v1 +kind: Pod +metadata: + name: badpod02 +spec: + containers: + - name: container01 + image: nginx + ports: + - name: admin + containerPort: 8000 + protocol: TCP + - name: dns + containerPort: 5553 + hostPort: 53 + protocol: UDP +--- +apiVersion: v1 +kind: Pod +metadata: + name: badpod03 +spec: + containers: + - name: container01 + image: nginx + - name: container02 + image: nginx + ports: + - name: admin + containerPort: 8000 + protocol: TCP + - name: dns + containerPort: 5553 + hostPort: 53 + protocol: UDP +--- +apiVersion: v1 +kind: Pod +metadata: + name: badpod04 +spec: + containers: + - name: container01 + image: nginx + ports: + - name: admin + containerPort: 8000 + protocol: TCP + - name: container02 + image: nginx + ports: + - name: dns + containerPort: 5553 + hostPort: 53 + protocol: UDP +--- +apiVersion: v1 +kind: Pod +metadata: + name: badpod05 +spec: + containers: + - name: container01 + image: nginx + ports: + - name: web-secure + containerPort: 4443 + hostPort: 443 + - name: container02 + image: nginx + ports: + - name: dns + containerPort: 5553 + hostPort: 53 + protocol: UDP +--- +apiVersion: v1 +kind: Pod +metadata: + name: badpod06 +spec: + initContainers: + - name: initcontainer01 + image: nginx + containers: + - name: container01 + image: nginx + ports: + - name: dns + containerPort: 5553 + hostPort: 53 +--- +apiVersion: v1 +kind: Pod +metadata: + name: badpod07 +spec: + initContainers: + - name: initcontainer01 + image: nginx + ports: + - name: admin + containerPort: 8000 + protocol: TCP + containers: + - name: container01 + image: nginx + ports: + - name: dns + containerPort: 5553 + hostPort: 53 +--- +apiVersion: v1 +kind: Pod +metadata: + name: badpod08 +spec: + initContainers: + - name: initcontainer01 + image: nginx + - name: initcontainer02 + image: nginx + ports: + - name: admin + containerPort: 8000 + protocol: TCP + containers: + - name: container01 + image: nginx + ports: + - name: dns + containerPort: 5553 + hostPort: 53 +--- +apiVersion: v1 +kind: Pod +metadata: + name: badpod09 +spec: + initContainers: + - name: initcontainer01 + image: nginx + ports: + - name: web + containerPort: 4443 + hostPort: 443 + - name: initcontainer02 + image: nginx + ports: + - name: admin + containerPort: 8000 + protocol: TCP + containers: + - name: container01 + image: nginx + ports: + - name: dns + containerPort: 5553 + hostPort: 53 +--- +apiVersion: v1 +kind: Pod +metadata: + name: badpod10 +spec: + initContainers: + - name: initcontainer01 + image: nginx + ports: + - name: dns + containerPort: 5553 + hostPort: 53 + containers: + - name: container01 + image: nginx +--- +###### Deployments - Bad +apiVersion: apps/v1 +kind: Deployment +metadata: + name: baddeployment01 +spec: + replicas: 1 + selector: + matchLabels: + app: app + template: + metadata: + labels: + app: app + spec: + containers: + - name: container01 + image: nginx + ports: + - name: dns + containerPort: 5553 + hostPort: 53 +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: baddeployment02 +spec: + replicas: 1 + selector: + matchLabels: + app: app + template: + metadata: + labels: + app: app + spec: + containers: + - name: container01 + image: nginx + ports: + - name: admin + containerPort: 8000 + protocol: TCP + - name: dns + containerPort: 5553 + hostPort: 53 + protocol: UDP +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: baddeployment03 +spec: + replicas: 1 + selector: + matchLabels: + app: app + template: + metadata: + labels: + app: app + spec: + containers: + - name: container01 + image: nginx + - name: container02 + image: nginx + ports: + - name: admin + containerPort: 8000 + protocol: TCP + - name: dns + containerPort: 5553 + hostPort: 53 + protocol: UDP +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: baddeployment04 +spec: + replicas: 1 + selector: + matchLabels: + app: app + template: + metadata: + labels: + app: app + spec: + containers: + - name: container01 + image: nginx + ports: + - name: admin + containerPort: 8000 + protocol: TCP + - name: container02 + image: nginx + ports: + - name: dns + containerPort: 5553 + hostPort: 53 + protocol: UDP +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: baddeployment05 +spec: + replicas: 1 + selector: + matchLabels: + app: app + template: + metadata: + labels: + app: app + spec: + containers: + - name: container01 + image: nginx + ports: + - name: web-secure + containerPort: 4443 + hostPort: 443 + - name: container02 + image: nginx + ports: + - name: dns + containerPort: 5553 + hostPort: 53 + protocol: UDP +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: baddeployment06 +spec: + replicas: 1 + selector: + matchLabels: + app: app + template: + metadata: + labels: + app: app + spec: + initContainers: + - name: initcontainer01 + image: nginx + containers: + - name: container01 + image: nginx + ports: + - name: dns + containerPort: 5553 + hostPort: 53 +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: baddeployment07 +spec: + replicas: 1 + selector: + matchLabels: + app: app + template: + metadata: + labels: + app: app + spec: + initContainers: + - name: initcontainer01 + image: nginx + ports: + - name: admin + containerPort: 8000 + protocol: TCP + containers: + - name: container01 + image: nginx + ports: + - name: dns + containerPort: 5553 + hostPort: 53 +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: baddeployment08 +spec: + replicas: 1 + selector: + matchLabels: + app: app + template: + metadata: + labels: + app: app + spec: + initContainers: + - name: initcontainer01 + image: nginx + - name: initcontainer02 + image: nginx + ports: + - name: admin + containerPort: 8000 + protocol: TCP + containers: + - name: container01 + image: nginx + ports: + - name: dns + containerPort: 5553 + hostPort: 53 +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: baddeployment09 +spec: + replicas: 1 + selector: + matchLabels: + app: app + template: + metadata: + labels: + app: app + spec: + initContainers: + - name: initcontainer01 + image: nginx + ports: + - name: web + containerPort: 4443 + hostPort: 443 + - name: initcontainer02 + image: nginx + ports: + - name: admin + containerPort: 8000 + protocol: TCP + containers: + - name: container01 + image: nginx + ports: + - name: dns + containerPort: 5553 + hostPort: 53 +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: baddeployment10 +spec: + replicas: 1 + selector: + matchLabels: + app: app + template: + metadata: + labels: + app: app + spec: + initContainers: + - name: initcontainer01 + image: nginx + ports: + - name: web + containerPort: 4443 + hostPort: 443 + containers: + - name: container01 + image: nginx +--- +###### CronJobs - Bad +apiVersion: batch/v1 +kind: CronJob +metadata: + name: badcronjob01 +spec: + schedule: "*/1 * * * *" + jobTemplate: + spec: + template: + spec: + restartPolicy: OnFailure + containers: + - name: container01 + image: nginx + ports: + - name: dns + containerPort: 5553 + hostPort: 53 +--- +apiVersion: batch/v1 +kind: CronJob +metadata: + name: badcronjob02 +spec: + schedule: "*/1 * * * *" + jobTemplate: + spec: + template: + spec: + restartPolicy: OnFailure + containers: + - name: container01 + image: nginx + ports: + - name: admin + containerPort: 8000 + protocol: TCP + - name: dns + containerPort: 5553 + hostPort: 53 + protocol: UDP +--- +apiVersion: batch/v1 +kind: CronJob +metadata: + name: badcronjob03 +spec: + schedule: "*/1 * * * *" + jobTemplate: + spec: + template: + spec: + restartPolicy: OnFailure + containers: + - name: container01 + image: nginx + - name: container02 + image: nginx + ports: + - name: admin + containerPort: 8000 + protocol: TCP + - name: dns + containerPort: 5553 + hostPort: 53 + protocol: UDP +--- +apiVersion: batch/v1 +kind: CronJob +metadata: + name: badcronjob04 +spec: + schedule: "*/1 * * * *" + jobTemplate: + spec: + template: + spec: + restartPolicy: OnFailure + containers: + - name: container01 + image: nginx + ports: + - name: admin + containerPort: 8000 + protocol: TCP + - name: container02 + image: nginx + ports: + - name: dns + containerPort: 5553 + hostPort: 53 + protocol: UDP +--- +apiVersion: batch/v1 +kind: CronJob +metadata: + name: badcronjob05 +spec: + schedule: "*/1 * * * *" + jobTemplate: + spec: + template: + spec: + restartPolicy: OnFailure + containers: + - name: container01 + image: nginx + ports: + - name: web-secure + containerPort: 4443 + hostPort: 443 + - name: container02 + image: nginx + ports: + - name: dns + containerPort: 5553 + hostPort: 53 + protocol: UDP +--- +apiVersion: batch/v1 +kind: CronJob +metadata: + name: badcronjob06 +spec: + schedule: "*/1 * * * *" + jobTemplate: + spec: + template: + spec: + restartPolicy: OnFailure + initContainers: + - name: initcontainer01 + image: nginx + containers: + - name: container01 + image: nginx + ports: + - name: dns + containerPort: 5553 + hostPort: 53 +--- +apiVersion: batch/v1 +kind: CronJob +metadata: + name: badcronjob07 +spec: + schedule: "*/1 * * * *" + jobTemplate: + spec: + template: + spec: + restartPolicy: OnFailure + initContainers: + - name: initcontainer01 + image: nginx + ports: + - name: admin + containerPort: 8000 + protocol: TCP + containers: + - name: container01 + image: nginx + ports: + - name: dns + containerPort: 5553 + hostPort: 53 +--- +apiVersion: batch/v1 +kind: CronJob +metadata: + name: badcronjob08 +spec: + schedule: "*/1 * * * *" + jobTemplate: + spec: + template: + spec: + restartPolicy: OnFailure + initContainers: + - name: initcontainer01 + image: nginx + - name: initcontainer02 + image: nginx + ports: + - name: admin + containerPort: 8000 + protocol: TCP + containers: + - name: container01 + image: nginx + ports: + - name: dns + containerPort: 5553 + hostPort: 53 +--- +apiVersion: batch/v1 +kind: CronJob +metadata: + name: badcronjob09 +spec: + schedule: "*/1 * * * *" + jobTemplate: + spec: + template: + spec: + restartPolicy: OnFailure + initContainers: + - name: initcontainer01 + image: nginx + ports: + - name: web + containerPort: 4443 + hostPort: 443 + - name: initcontainer02 + image: nginx + ports: + - name: admin + containerPort: 8000 + protocol: TCP + containers: + - name: container01 + image: nginx + ports: + - name: dns + containerPort: 5553 + hostPort: 53 +--- +apiVersion: batch/v1 +kind: CronJob +metadata: + name: badcronjob10 +spec: + schedule: "*/1 * * * *" + jobTemplate: + spec: + template: + spec: + restartPolicy: OnFailure + initContainers: + - name: initcontainer01 + image: nginx + ports: + - name: dns + containerPort: 5553 + hostPort: 53 + containers: + - name: container01 + image: nginx diff --git a/pod-security/baseline/disallow-host-ports/e2e/chainsaw-test.yaml b/pod-security/baseline/disallow-host-ports/e2e/chainsaw-test.yaml new file mode 100644 index 00000000..4097bdab --- /dev/null +++ b/pod-security/baseline/disallow-host-ports/e2e/chainsaw-test.yaml @@ -0,0 +1,44 @@ +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: Test +metadata: + name: disallow-host-ports-policy +spec: + steps: + - name: test-disallow-host-ports + try: + - apply: + file: ../disallow-host-ports.yaml + - assert: + file: policy-assert.yaml + - apply: + file: ../remediate-disallow-host-ports.yaml + - assert: + file: remediation-policy-assert.yaml + - sleep: + duration: 20s + - apply: + file: ../deployment.yaml + - assert: + resource: + apiVersion: wgpolicyk8s.io/v1alpha2 + kind: PolicyReport + summary: + error: 0 + fail: 0 + - delete: + ref: + apiVersion: kyverno.io/v1 + kind: ClusterPolicy + name: remediate-disallow-host-ports + - script: + content: | + sed 's/validationFailureAction: Audit/validationFailureAction: Enforce/' ../disallow-host-ports.yaml | kubectl apply -f - + - assert: + file: enforce-policy-assert.yaml + - apply: + file: good-resource.yaml + - apply: + expect: + - check: + ($error != null): true + file: bad-resource.yaml diff --git a/best-practices/require_probes/e2e/03-enforce-policy-assert.yaml b/pod-security/baseline/disallow-host-ports/e2e/enforce-policy-assert.yaml similarity index 78% rename from best-practices/require_probes/e2e/03-enforce-policy-assert.yaml rename to pod-security/baseline/disallow-host-ports/e2e/enforce-policy-assert.yaml index 2e473537..11e93dda 100644 --- a/best-practices/require_probes/e2e/03-enforce-policy-assert.yaml +++ b/pod-security/baseline/disallow-host-ports/e2e/enforce-policy-assert.yaml @@ -1,11 +1,11 @@ apiVersion: kyverno.io/v1 kind: ClusterPolicy metadata: - name: require-pod-probes + name: disallow-host-ports spec: validationFailureAction: Enforce status: conditions: - reason: Succeeded status: "True" - type: Ready + type: Ready \ No newline at end of file diff --git a/pod-security/baseline/disallow-host-ports/e2e/good-resource.yaml b/pod-security/baseline/disallow-host-ports/e2e/good-resource.yaml new file mode 100644 index 00000000..27867043 --- /dev/null +++ b/pod-security/baseline/disallow-host-ports/e2e/good-resource.yaml @@ -0,0 +1,591 @@ +--- +###### Pods - Good +apiVersion: v1 +kind: Pod +metadata: + name: goodpod01 +spec: + containers: + - name: container01 + image: nginx +--- +apiVersion: v1 +kind: Pod +metadata: + name: goodpod02 +spec: + containers: + - name: container01 + image: nginx + ports: + - name: admin + containerPort: 8000 + protocol: TCP +--- +apiVersion: v1 +kind: Pod +metadata: + name: goodpod03 +spec: + containers: + - name: container01 + image: nginx + ports: + - name: admin + containerPort: 8000 + protocol: TCP + - name: web-insecure + containerPort: 8080 +--- +apiVersion: v1 +kind: Pod +metadata: + name: goodpod04 +spec: + containers: + - name: container01 + image: nginx + - name: container02 + image: nginx +--- +apiVersion: v1 +kind: Pod +metadata: + name: goodpod05 +spec: + containers: + - name: container01 + image: nginx + - name: container02 + image: nginx + ports: + - name: admin + containerPort: 8000 + protocol: TCP +--- +apiVersion: v1 +kind: Pod +metadata: + name: goodpod06 +spec: + containers: + - name: container01 + image: nginx + ports: + - name: web-insecure + containerPort: 8080 + - name: container02 + image: nginx + ports: + - name: admin + containerPort: 8000 + protocol: TCP +--- +apiVersion: v1 +kind: Pod +metadata: + name: goodpod07 +spec: + initContainers: + - name: initcontainer01 + image: nginx + containers: + - name: container01 + image: nginx +--- +apiVersion: v1 +kind: Pod +metadata: + name: goodpod08 +spec: + initContainers: + - name: initcontainer01 + image: nginx + ports: + - name: web-insecure + containerPort: 8080 + containers: + - name: container01 + image: nginx +--- +apiVersion: v1 +kind: Pod +metadata: + name: goodpod09 +spec: + initContainers: + - name: initcontainer01 + image: nginx + ports: + - name: web-insecure + containerPort: 8080 + containers: + - name: container01 + image: nginx + ports: + - name: web-insecure + containerPort: 8080 +--- +apiVersion: v1 +kind: Pod +metadata: + name: goodpod10 +spec: + initContainers: + - name: initcontainer01 + image: nginx + - name: initcontainer02 + image: nginx + ports: + - name: web-insecure + containerPort: 8080 + containers: + - name: container01 + image: nginx + ports: + - name: web-insecure + containerPort: 8080 +--- +###### Deployments - Good +apiVersion: apps/v1 +kind: Deployment +metadata: + name: gooddeployment01 +spec: + replicas: 1 + selector: + matchLabels: + app: app + template: + metadata: + labels: + app: app + spec: + containers: + - name: container01 + image: nginx +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: gooddeployment02 +spec: + replicas: 1 + selector: + matchLabels: + app: app + template: + metadata: + labels: + app: app + spec: + containers: + - name: container01 + image: nginx + ports: + - name: admin + containerPort: 8000 + protocol: TCP +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: gooddeployment03 +spec: + replicas: 1 + selector: + matchLabels: + app: app + template: + metadata: + labels: + app: app + spec: + containers: + - name: container01 + image: nginx + ports: + - name: admin + containerPort: 8000 + protocol: TCP + - name: web-insecure + containerPort: 8080 +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: gooddeployment04 +spec: + replicas: 1 + selector: + matchLabels: + app: app + template: + metadata: + labels: + app: app + spec: + containers: + - name: container01 + image: nginx + - name: container02 + image: nginx +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: gooddeployment05 +spec: + replicas: 1 + selector: + matchLabels: + app: app + template: + metadata: + labels: + app: app + spec: + containers: + - name: container01 + image: nginx + - name: container02 + image: nginx + ports: + - name: admin + containerPort: 8000 + protocol: TCP +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: gooddeployment06 +spec: + replicas: 1 + selector: + matchLabels: + app: app + template: + metadata: + labels: + app: app + spec: + containers: + - name: container01 + image: nginx + ports: + - name: web-insecure + containerPort: 8080 + - name: container02 + image: nginx + ports: + - name: admin + containerPort: 8000 + protocol: TCP +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: gooddeployment07 +spec: + replicas: 1 + selector: + matchLabels: + app: app + template: + metadata: + labels: + app: app + spec: + initContainers: + - name: initcontainer01 + image: nginx + containers: + - name: container01 + image: nginx +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: gooddeployment08 +spec: + replicas: 1 + selector: + matchLabels: + app: app + template: + metadata: + labels: + app: app + spec: + initContainers: + - name: initcontainer01 + image: nginx + ports: + - name: web-insecure + containerPort: 8080 + containers: + - name: container01 + image: nginx +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: gooddeployment09 +spec: + replicas: 1 + selector: + matchLabels: + app: app + template: + metadata: + labels: + app: app + spec: + initContainers: + - name: initcontainer01 + image: nginx + ports: + - name: web-insecure + containerPort: 8080 + containers: + - name: container01 + image: nginx + ports: + - name: web-insecure + containerPort: 8080 +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: gooddeployment10 +spec: + replicas: 1 + selector: + matchLabels: + app: app + template: + metadata: + labels: + app: app + spec: + initContainers: + - name: initcontainer01 + image: nginx + - name: initcontainer02 + image: nginx + ports: + - name: web-insecure + containerPort: 8080 + containers: + - name: container01 + image: nginx + ports: + - name: web-insecure + containerPort: 8080 +--- +###### CronJobs - Good +apiVersion: batch/v1 +kind: CronJob +metadata: + name: goodcronjob01 +spec: + schedule: "*/1 * * * *" + jobTemplate: + spec: + template: + spec: + restartPolicy: OnFailure + containers: + - name: container01 + image: nginx +--- +apiVersion: batch/v1 +kind: CronJob +metadata: + name: goodcronjob02 +spec: + schedule: "*/1 * * * *" + jobTemplate: + spec: + template: + spec: + restartPolicy: OnFailure + containers: + - name: container01 + image: nginx + ports: + - name: admin + containerPort: 8000 + protocol: TCP +--- +apiVersion: batch/v1 +kind: CronJob +metadata: + name: goodcronjob03 +spec: + schedule: "*/1 * * * *" + jobTemplate: + spec: + template: + spec: + restartPolicy: OnFailure + containers: + - name: container01 + image: nginx + ports: + - name: admin + containerPort: 8000 + protocol: TCP + - name: web-insecure + containerPort: 8080 +--- +apiVersion: batch/v1 +kind: CronJob +metadata: + name: goodcronjob04 +spec: + schedule: "*/1 * * * *" + jobTemplate: + spec: + template: + spec: + restartPolicy: OnFailure + containers: + - name: container01 + image: nginx + - name: container02 + image: nginx +--- +apiVersion: batch/v1 +kind: CronJob +metadata: + name: goodcronjob05 +spec: + schedule: "*/1 * * * *" + jobTemplate: + spec: + template: + spec: + restartPolicy: OnFailure + containers: + - name: container01 + image: nginx + - name: container02 + image: nginx + ports: + - name: admin + containerPort: 8000 + protocol: TCP +--- +apiVersion: batch/v1 +kind: CronJob +metadata: + name: goodcronjob06 +spec: + schedule: "*/1 * * * *" + jobTemplate: + spec: + template: + spec: + restartPolicy: OnFailure + containers: + - name: container01 + image: nginx + ports: + - name: web-insecure + containerPort: 8080 + - name: container02 + image: nginx + ports: + - name: admin + containerPort: 8000 + protocol: TCP +--- +apiVersion: batch/v1 +kind: CronJob +metadata: + name: goodcronjob07 +spec: + schedule: "*/1 * * * *" + jobTemplate: + spec: + template: + spec: + restartPolicy: OnFailure + initContainers: + - name: initcontainer01 + image: nginx + containers: + - name: container01 + image: nginx +--- +apiVersion: batch/v1 +kind: CronJob +metadata: + name: goodcronjob08 +spec: + schedule: "*/1 * * * *" + jobTemplate: + spec: + template: + spec: + restartPolicy: OnFailure + initContainers: + - name: initcontainer01 + image: nginx + ports: + - name: web-insecure + containerPort: 8080 + containers: + - name: container01 + image: nginx +--- +apiVersion: batch/v1 +kind: CronJob +metadata: + name: goodcronjob09 +spec: + schedule: "*/1 * * * *" + jobTemplate: + spec: + template: + spec: + restartPolicy: OnFailure + initContainers: + - name: initcontainer01 + image: nginx + ports: + - name: web-insecure + containerPort: 8080 + containers: + - name: container01 + image: nginx + ports: + - name: web-insecure + containerPort: 8080 +--- +apiVersion: batch/v1 +kind: CronJob +metadata: + name: goodcronjob10 +spec: + schedule: "*/1 * * * *" + jobTemplate: + spec: + template: + spec: + restartPolicy: OnFailure + initContainers: + - name: initcontainer01 + image: nginx + - name: initcontainer02 + image: nginx + ports: + - name: web-insecure + containerPort: 8080 + containers: + - name: container01 + image: nginx + ports: + - name: web-insecure + containerPort: 8080 diff --git a/best-practices/disallow_latest_tag/e2e/policy-assert.yaml b/pod-security/baseline/disallow-host-ports/e2e/policy-assert.yaml similarity index 86% rename from best-practices/disallow_latest_tag/e2e/policy-assert.yaml rename to pod-security/baseline/disallow-host-ports/e2e/policy-assert.yaml index 056d482f..956b6eb0 100644 --- a/best-practices/disallow_latest_tag/e2e/policy-assert.yaml +++ b/pod-security/baseline/disallow-host-ports/e2e/policy-assert.yaml @@ -1,7 +1,7 @@ apiVersion: kyverno.io/v1 kind: ClusterPolicy metadata: - name: disallow-latest-tag + name: disallow-host-ports spec: validationFailureAction: Audit status: diff --git a/pod-security/baseline/disallow-host-ports/e2e/remediation-policy-assert.yaml b/pod-security/baseline/disallow-host-ports/e2e/remediation-policy-assert.yaml new file mode 100644 index 00000000..4ac98bd1 --- /dev/null +++ b/pod-security/baseline/disallow-host-ports/e2e/remediation-policy-assert.yaml @@ -0,0 +1,11 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: remediate-disallow-host-ports +spec: + validationFailureAction: Audit +status: + conditions: + - reason: Succeeded + status: "True" + type: Ready diff --git a/pod-security/baseline/disallow-host-process/e2e/bad-resource.yaml b/pod-security/baseline/disallow-host-process/e2e/bad-resource.yaml new file mode 100644 index 00000000..76879563 --- /dev/null +++ b/pod-security/baseline/disallow-host-process/e2e/bad-resource.yaml @@ -0,0 +1,372 @@ +###### Pods - Bad +--- +apiVersion: v1 +kind: Pod +metadata: + name: badpod01 +spec: + hostNetwork: true + containers: + - name: container01 + image: nginx + securityContext: + windowsOptions: + hostProcess: true +--- +apiVersion: v1 +kind: Pod +metadata: + name: badpod02 +spec: + hostNetwork: true + containers: + - name: container01 + image: nginx + securityContext: + windowsOptions: + hostProcess: true + - name: container02 + image: nginx + securityContext: + windowsOptions: + hostProcess: true +--- +apiVersion: v1 +kind: Pod +metadata: + name: badpod03 +spec: + hostNetwork: true + initContainers: + - name: initcontainer01 + image: nginx + securityContext: + windowsOptions: + hostProcess: true + containers: + - name: container01 + image: nginx + securityContext: + windowsOptions: + hostProcess: true +--- +apiVersion: v1 +kind: Pod +metadata: + name: badpod04 +spec: + hostNetwork: true + initContainers: + - name: initcontainer01 + image: nginx + securityContext: + windowsOptions: + hostProcess: true + - name: initcontainer02 + image: nginx + securityContext: + windowsOptions: + hostProcess: true + containers: + - name: container01 + image: nginx + securityContext: + windowsOptions: + hostProcess: true +--- +apiVersion: v1 +kind: Pod +metadata: + name: badpod05 +spec: + hostNetwork: true + initContainers: + - name: initcontainer01 + image: nginx + securityContext: + windowsOptions: + hostProcess: true + - name: initcontainer02 + image: nginx + securityContext: + windowsOptions: + hostProcess: true + containers: + - name: container01 + image: nginx + securityContext: + windowsOptions: + hostProcess: true +--- +###### Deployments - Bad +apiVersion: apps/v1 +kind: Deployment +metadata: + name: baddeployment01 +spec: + replicas: 1 + selector: + matchLabels: + app: app + template: + metadata: + labels: + app: app + spec: + hostNetwork: true + containers: + - name: container01 + image: nginx + securityContext: + windowsOptions: + hostProcess: true +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: baddeployment02 +spec: + replicas: 1 + selector: + matchLabels: + app: app + template: + metadata: + labels: + app: app + spec: + hostNetwork: true + containers: + - name: container01 + image: nginx + securityContext: + windowsOptions: + hostProcess: true + - name: container02 + image: nginx + securityContext: + windowsOptions: + hostProcess: true +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: baddeployment03 +spec: + replicas: 1 + selector: + matchLabels: + app: app + template: + metadata: + labels: + app: app + spec: + hostNetwork: true + initContainers: + - name: initcontainer01 + image: nginx + securityContext: + windowsOptions: + hostProcess: true + containers: + - name: container01 + image: nginx + securityContext: + windowsOptions: + hostProcess: true +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: baddeployment04 +spec: + replicas: 1 + selector: + matchLabels: + app: app + template: + metadata: + labels: + app: app + spec: + hostNetwork: true + initContainers: + - name: initcontainer01 + image: nginx + securityContext: + windowsOptions: + hostProcess: true + - name: initcontainer02 + image: nginx + securityContext: + windowsOptions: + hostProcess: true + containers: + - name: container01 + image: nginx + securityContext: + windowsOptions: + hostProcess: true +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: baddeployment05 +spec: + replicas: 1 + selector: + matchLabels: + app: app + template: + metadata: + labels: + app: app + spec: + hostNetwork: true + initContainers: + - name: initcontainer01 + image: nginx + securityContext: + windowsOptions: + hostProcess: true + - name: initcontainer02 + image: nginx + securityContext: + windowsOptions: + hostProcess: true + containers: + - name: container01 + image: nginx + securityContext: + windowsOptions: + hostProcess: true +--- +###### CronJobs - Bad +apiVersion: batch/v1 +kind: CronJob +metadata: + name: badcronjob01 +spec: + schedule: "*/1 * * * *" + jobTemplate: + spec: + template: + spec: + restartPolicy: OnFailure + hostNetwork: true + containers: + - name: container01 + image: nginx + securityContext: + windowsOptions: + hostProcess: true +--- +apiVersion: batch/v1 +kind: CronJob +metadata: + name: badcronjob02 +spec: + schedule: "*/1 * * * *" + jobTemplate: + spec: + template: + spec: + restartPolicy: OnFailure + hostNetwork: true + containers: + - name: container01 + image: nginx + securityContext: + windowsOptions: + hostProcess: true + - name: container02 + image: nginx + securityContext: + windowsOptions: + hostProcess: true +--- +apiVersion: batch/v1 +kind: CronJob +metadata: + name: badcronjob03 +spec: + schedule: "*/1 * * * *" + jobTemplate: + spec: + template: + spec: + restartPolicy: OnFailure + hostNetwork: true + initContainers: + - name: initcontainer01 + image: nginx + securityContext: + windowsOptions: + hostProcess: true + containers: + - name: container01 + image: nginx + securityContext: + windowsOptions: + hostProcess: true +--- +apiVersion: batch/v1 +kind: CronJob +metadata: + name: badcronjob04 +spec: + schedule: "*/1 * * * *" + jobTemplate: + spec: + template: + spec: + restartPolicy: OnFailure + hostNetwork: true + initContainers: + - name: initcontainer01 + image: nginx + securityContext: + windowsOptions: + hostProcess: true + - name: initcontainer02 + image: nginx + securityContext: + windowsOptions: + hostProcess: true + containers: + - name: container01 + image: nginx + securityContext: + windowsOptions: + hostProcess: true +--- +apiVersion: batch/v1 +kind: CronJob +metadata: + name: badcronjob05 +spec: + schedule: "*/1 * * * *" + jobTemplate: + spec: + template: + spec: + restartPolicy: OnFailure + hostNetwork: true + initContainers: + - name: initcontainer01 + image: nginx + securityContext: + windowsOptions: + hostProcess: true + - name: initcontainer02 + image: nginx + securityContext: + windowsOptions: + hostProcess: true + containers: + - name: container01 + image: nginx + securityContext: + windowsOptions: + hostProcess: true diff --git a/pod-security/baseline/disallow-host-process/e2e/chainsaw-test.yaml b/pod-security/baseline/disallow-host-process/e2e/chainsaw-test.yaml new file mode 100644 index 00000000..1fa08cd3 --- /dev/null +++ b/pod-security/baseline/disallow-host-process/e2e/chainsaw-test.yaml @@ -0,0 +1,44 @@ +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: Test +metadata: + name: disallow-host-process-policy +spec: + steps: + - name: test-disallow-host-process + try: + - apply: + file: ../disallow-host-process.yaml + - assert: + file: policy-assert.yaml + - apply: + file: ../remediate-disallow-host-process.yaml + - assert: + file: remediation-policy-assert.yaml + - apply: + file: ../deployment.yaml + - sleep: + duration: 20s + - assert: + resource: + apiVersion: wgpolicyk8s.io/v1alpha2 + kind: PolicyReport + summary: + error: 0 + fail: 0 + - delete: + ref: + apiVersion: kyverno.io/v1 + kind: ClusterPolicy + name: remediate-disallow-host-process + - script: + content: | + sed 's/validationFailureAction: Audit/validationFailureAction: Enforce/' ../disallow-host-process.yaml | kubectl apply -f - + - assert: + file: enforce-policy-assert.yaml + - apply: + file: good-resource.yaml + - apply: + expect: + - check: + ($error != null): true + file: bad-resource.yaml diff --git a/pod-security/baseline/disallow-host-process/e2e/enforce-policy-assert.yaml b/pod-security/baseline/disallow-host-process/e2e/enforce-policy-assert.yaml new file mode 100644 index 00000000..599d2508 --- /dev/null +++ b/pod-security/baseline/disallow-host-process/e2e/enforce-policy-assert.yaml @@ -0,0 +1,11 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: disallow-host-process +spec: + validationFailureAction: Enforce +status: + conditions: + - reason: Succeeded + status: "True" + type: Ready \ No newline at end of file diff --git a/pod-security/baseline/disallow-host-process/e2e/good-resource.yaml b/pod-security/baseline/disallow-host-process/e2e/good-resource.yaml new file mode 100644 index 00000000..6e331bcc --- /dev/null +++ b/pod-security/baseline/disallow-host-process/e2e/good-resource.yaml @@ -0,0 +1,356 @@ +###### Pods - Good +apiVersion: v1 +kind: Pod +metadata: + name: goodpod01 +spec: + hostNetwork: true + containers: + - name: container01 + image: nginx +--- +apiVersion: v1 +kind: Pod +metadata: + name: goodpod02 +spec: + hostNetwork: true + containers: + - name: container01 + image: nginx + securityContext: + windowsOptions: + hostProcess: false +--- +apiVersion: v1 +kind: Pod +metadata: + name: goodpod03 +spec: + hostNetwork: true + containers: + - name: container01 + image: nginx + - name: container02 + image: nginx + securityContext: + windowsOptions: + hostProcess: false +--- +apiVersion: v1 +kind: Pod +metadata: + name: goodpod04 +spec: + hostNetwork: true + initContainers: + - name: initcontainer01 + image: nginx + containers: + - name: container01 + image: nginx +--- +apiVersion: v1 +kind: Pod +metadata: + name: goodpod05 +spec: + hostNetwork: true + initContainers: + - name: initcontainer01 + image: nginx + securityContext: + windowsOptions: + hostProcess: false + containers: + - name: container01 + image: nginx +--- +apiVersion: v1 +kind: Pod +metadata: + name: goodpod06 +spec: + hostNetwork: true + initContainers: + - name: initcontainer01 + image: nginx + - name: initcontainer02 + image: nginx + securityContext: + windowsOptions: + hostProcess: false + containers: + - name: container01 + image: nginx + securityContext: + windowsOptions: + hostProcess: false +--- +###### Deployments - Good +apiVersion: apps/v1 +kind: Deployment +metadata: + name: gooddeployment01 +spec: + replicas: 1 + selector: + matchLabels: + app: app + template: + metadata: + labels: + app: app + spec: + hostNetwork: true + containers: + - name: container01 + image: nginx +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: gooddeployment02 +spec: + replicas: 1 + selector: + matchLabels: + app: app + template: + metadata: + labels: + app: app + spec: + hostNetwork: true + containers: + - name: container01 + image: nginx + securityContext: + windowsOptions: + hostProcess: false +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: gooddeployment03 +spec: + replicas: 1 + selector: + matchLabels: + app: app + template: + metadata: + labels: + app: app + spec: + hostNetwork: true + containers: + - name: container01 + image: nginx + - name: container02 + image: nginx + securityContext: + windowsOptions: + hostProcess: false +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: gooddeployment04 +spec: + replicas: 1 + selector: + matchLabels: + app: app + template: + metadata: + labels: + app: app + spec: + hostNetwork: true + initContainers: + - name: initcontainer01 + image: nginx + containers: + - name: container01 + image: nginx +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: gooddeployment05 +spec: + replicas: 1 + selector: + matchLabels: + app: app + template: + metadata: + labels: + app: app + spec: + hostNetwork: true + initContainers: + - name: initcontainer01 + image: nginx + securityContext: + windowsOptions: + hostProcess: false + containers: + - name: container01 + image: nginx +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: gooddeployment06 +spec: + replicas: 1 + selector: + matchLabels: + app: app + template: + metadata: + labels: + app: app + spec: + hostNetwork: true + initContainers: + - name: initcontainer01 + image: nginx + securityContext: + windowsOptions: + hostProcess: false + - name: initcontainer02 + image: nginx + containers: + - name: container01 + image: nginx + securityContext: + windowsOptions: + hostProcess: false +--- +###### CronJobs - Good +apiVersion: batch/v1 +kind: CronJob +metadata: + name: goodcronjob01 +spec: + schedule: "*/1 * * * *" + jobTemplate: + spec: + template: + spec: + restartPolicy: OnFailure + hostNetwork: true + containers: + - name: container01 + image: nginx +--- +apiVersion: batch/v1 +kind: CronJob +metadata: + name: goodcronjob02 +spec: + schedule: "*/1 * * * *" + jobTemplate: + spec: + template: + spec: + restartPolicy: OnFailure + hostNetwork: true + containers: + - name: container01 + image: nginx + securityContext: + windowsOptions: + hostProcess: false +--- +apiVersion: batch/v1 +kind: CronJob +metadata: + name: goodcronjob03 +spec: + schedule: "*/1 * * * *" + jobTemplate: + spec: + template: + spec: + restartPolicy: OnFailure + hostNetwork: true + containers: + - name: container01 + image: nginx + - name: container02 + image: nginx + securityContext: + windowsOptions: + hostProcess: false +--- +apiVersion: batch/v1 +kind: CronJob +metadata: + name: goodcronjob04 +spec: + schedule: "*/1 * * * *" + jobTemplate: + spec: + template: + spec: + restartPolicy: OnFailure + hostNetwork: true + initContainers: + - name: initcontainer01 + image: nginx + containers: + - name: container01 + image: nginx +--- +apiVersion: batch/v1 +kind: CronJob +metadata: + name: goodcronjob05 +spec: + schedule: "*/1 * * * *" + jobTemplate: + spec: + template: + spec: + restartPolicy: OnFailure + hostNetwork: true + initContainers: + - name: initcontainer01 + image: nginx + securityContext: + windowsOptions: + hostProcess: false + containers: + - name: container01 + image: nginx +--- +apiVersion: batch/v1 +kind: CronJob +metadata: + name: goodcronjob06 +spec: + schedule: "*/1 * * * *" + jobTemplate: + spec: + template: + spec: + restartPolicy: OnFailure + hostNetwork: true + initContainers: + - name: initcontainer01 + image: nginx + - name: initcontainer02 + image: nginx + securityContext: + windowsOptions: + hostProcess: false + containers: + - name: container01 + image: nginx + securityContext: + windowsOptions: + hostProcess: false diff --git a/pod-security/baseline/disallow-host-process/e2e/policy-assert.yaml b/pod-security/baseline/disallow-host-process/e2e/policy-assert.yaml new file mode 100644 index 00000000..d438805e --- /dev/null +++ b/pod-security/baseline/disallow-host-process/e2e/policy-assert.yaml @@ -0,0 +1,11 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: disallow-host-process +spec: + validationFailureAction: Audit +status: + conditions: + - reason: Succeeded + status: "True" + type: Ready diff --git a/pod-security/baseline/disallow-host-process/e2e/remediation-policy-assert.yaml b/pod-security/baseline/disallow-host-process/e2e/remediation-policy-assert.yaml new file mode 100644 index 00000000..79a20297 --- /dev/null +++ b/pod-security/baseline/disallow-host-process/e2e/remediation-policy-assert.yaml @@ -0,0 +1,11 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: remediate-disallow-host-process +spec: + validationFailureAction: Audit +status: + conditions: + - reason: Succeeded + status: "True" + type: Ready diff --git a/pod-security/baseline/disallow-privileged-containers/e2e/bad-resource.yaml b/pod-security/baseline/disallow-privileged-containers/e2e/bad-resource.yaml new file mode 100644 index 00000000..ebcf0582 --- /dev/null +++ b/pod-security/baseline/disallow-privileged-containers/e2e/bad-resource.yaml @@ -0,0 +1,294 @@ +###### Pods - Bad +--- +apiVersion: v1 +kind: Pod +metadata: + name: badpod01 +spec: + containers: + - name: container01 + image: nginx + securityContext: + privileged: true +--- +apiVersion: v1 +kind: Pod +metadata: + name: badpod02 +spec: + containers: + - name: container01 + image: nginx + - name: container02 + image: nginx + securityContext: + privileged: true +--- +apiVersion: v1 +kind: Pod +metadata: + name: badpod03 +spec: + initContainers: + - name: initcontainer01 + image: nginx + securityContext: + privileged: true + containers: + - name: container01 + image: nginx +--- +apiVersion: v1 +kind: Pod +metadata: + name: badpod04 +spec: + initContainers: + - name: initcontainer01 + image: nginx + - name: initcontainer02 + image: nginx + securityContext: + privileged: true + containers: + - name: container01 + image: nginx +--- +apiVersion: v1 +kind: Pod +metadata: + name: badpod05 +spec: + initContainers: + - name: initcontainer01 + image: nginx + - name: initcontainer02 + image: nginx + securityContext: + privileged: true + containers: + - name: container01 + image: nginx + securityContext: + privileged: true +--- +###### Deployments - Bad +apiVersion: apps/v1 +kind: Deployment +metadata: + name: baddeployment01 +spec: + replicas: 1 + selector: + matchLabels: + app: app + template: + metadata: + labels: + app: app + spec: + containers: + - name: container01 + image: nginx + securityContext: + privileged: true +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: baddeployment02 +spec: + replicas: 1 + selector: + matchLabels: + app: app + template: + metadata: + labels: + app: app + spec: + containers: + - name: container01 + image: nginx + - name: container02 + image: nginx + securityContext: + privileged: true +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: baddeployment03 +spec: + replicas: 1 + selector: + matchLabels: + app: app + template: + metadata: + labels: + app: app + spec: + initContainers: + - name: initcontainer01 + image: nginx + securityContext: + privileged: true + containers: + - name: container01 + image: nginx +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: baddeployment04 +spec: + replicas: 1 + selector: + matchLabels: + app: app + template: + metadata: + labels: + app: app + spec: + initContainers: + - name: initcontainer01 + image: nginx + - name: initcontainer02 + image: nginx + securityContext: + privileged: true + containers: + - name: container01 + image: nginx +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: baddeployment05 +spec: + replicas: 1 + selector: + matchLabels: + app: app + template: + metadata: + labels: + app: app + spec: + initContainers: + - name: initcontainer01 + image: nginx + - name: initcontainer02 + image: nginx + securityContext: + privileged: true + containers: + - name: container01 + image: nginx + securityContext: + privileged: true +--- +###### CronJobs - Bad +apiVersion: batch/v1 +kind: CronJob +metadata: + name: badcronjob01 +spec: + schedule: "*/1 * * * *" + jobTemplate: + spec: + template: + spec: + restartPolicy: OnFailure + containers: + - name: container01 + image: nginx + securityContext: + privileged: true +--- +apiVersion: batch/v1 +kind: CronJob +metadata: + name: badcronjob02 +spec: + schedule: "*/1 * * * *" + jobTemplate: + spec: + template: + spec: + restartPolicy: OnFailure + containers: + - name: container01 + image: nginx + - name: container02 + image: nginx + securityContext: + privileged: true +--- +apiVersion: batch/v1 +kind: CronJob +metadata: + name: badcronjob03 +spec: + schedule: "*/1 * * * *" + jobTemplate: + spec: + template: + spec: + restartPolicy: OnFailure + initContainers: + - name: initcontainer01 + image: nginx + securityContext: + privileged: true + containers: + - name: container01 + image: nginx +--- +apiVersion: batch/v1 +kind: CronJob +metadata: + name: badcronjob04 +spec: + schedule: "*/1 * * * *" + jobTemplate: + spec: + template: + spec: + restartPolicy: OnFailure + initContainers: + - name: initcontainer01 + image: nginx + - name: initcontainer02 + image: nginx + securityContext: + privileged: true + containers: + - name: container01 + image: nginx +--- +apiVersion: batch/v1 +kind: CronJob +metadata: + name: badcronjob05 +spec: + schedule: "*/1 * * * *" + jobTemplate: + spec: + template: + spec: + restartPolicy: OnFailure + initContainers: + - name: initcontainer01 + image: nginx + - name: initcontainer02 + image: nginx + securityContext: + privileged: true + containers: + - name: container01 + image: nginx + securityContext: + privileged: true diff --git a/pod-security/baseline/disallow-privileged-containers/e2e/chainsaw-test.yaml b/pod-security/baseline/disallow-privileged-containers/e2e/chainsaw-test.yaml new file mode 100644 index 00000000..9f4b3d47 --- /dev/null +++ b/pod-security/baseline/disallow-privileged-containers/e2e/chainsaw-test.yaml @@ -0,0 +1,44 @@ +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: Test +metadata: + name: disallow-privileged-containers-policy +spec: + steps: + - name: test-disallow-privileged-containers + try: + - apply: + file: ../disallow-privileged-containers.yaml + - assert: + file: policy-assert.yaml + - apply: + file: ../remediate-disallow-privileged-containers.yaml + - assert: + file: remediation-policy-assert.yaml + - apply: + file: ../deployment.yaml + - sleep: + duration: 20s + - assert: + resource: + apiVersion: wgpolicyk8s.io/v1alpha2 + kind: PolicyReport + summary: + error: 0 + fail: 0 + - delete: + ref: + apiVersion: kyverno.io/v1 + kind: ClusterPolicy + name: remediate-disallow-privileged-containers + - script: + content: | + sed 's/validationFailureAction: Audit/validationFailureAction: Enforce/' ../disallow-privileged-containers.yaml | kubectl apply -f - + - assert: + file: enforce-policy-assert.yaml + - apply: + file: good-resource.yaml + - apply: + expect: + - check: + ($error != null): true + file: bad-resource.yaml diff --git a/pod-security/baseline/disallow-privileged-containers/e2e/enforce-policy-assert.yaml b/pod-security/baseline/disallow-privileged-containers/e2e/enforce-policy-assert.yaml new file mode 100644 index 00000000..95e08634 --- /dev/null +++ b/pod-security/baseline/disallow-privileged-containers/e2e/enforce-policy-assert.yaml @@ -0,0 +1,11 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: disallow-privileged-containers +spec: + validationFailureAction: Enforce +status: + conditions: + - reason: Succeeded + status: "True" + type: Ready \ No newline at end of file diff --git a/pod-security/baseline/disallow-privileged-containers/e2e/good-resource.yaml b/pod-security/baseline/disallow-privileged-containers/e2e/good-resource.yaml new file mode 100644 index 00000000..e4cddcd0 --- /dev/null +++ b/pod-security/baseline/disallow-privileged-containers/e2e/good-resource.yaml @@ -0,0 +1,323 @@ +###### Pods - Good +apiVersion: v1 +kind: Pod +metadata: + name: goodpod01 +spec: + containers: + - name: container01 + image: nginx +--- +apiVersion: v1 +kind: Pod +metadata: + name: goodpod02 +spec: + containers: + - name: container01 + image: nginx + securityContext: + privileged: false +--- +apiVersion: v1 +kind: Pod +metadata: + name: goodpod03 +spec: + containers: + - name: container01 + image: nginx + - name: container02 + image: nginx + securityContext: + privileged: false +--- +apiVersion: v1 +kind: Pod +metadata: + name: goodpod04 +spec: + initContainers: + - name: initcontainer01 + image: nginx + containers: + - name: container01 + image: nginx +--- +apiVersion: v1 +kind: Pod +metadata: + name: goodpod05 +spec: + initContainers: + - name: initcontainer01 + image: nginx + securityContext: + privileged: false + containers: + - name: container01 + image: nginx +--- +apiVersion: v1 +kind: Pod +metadata: + name: goodpod06 +spec: + initContainers: + - name: initcontainer01 + image: nginx + - name: initcontainer02 + image: nginx + securityContext: + privileged: false + containers: + - name: container01 + image: nginx + securityContext: + privileged: false +--- +###### Deployments - Good +apiVersion: apps/v1 +kind: Deployment +metadata: + name: gooddeployment01 +spec: + replicas: 1 + selector: + matchLabels: + app: app + template: + metadata: + labels: + app: app + spec: + containers: + - name: container01 + image: nginx +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: gooddeployment02 +spec: + replicas: 1 + selector: + matchLabels: + app: app + template: + metadata: + labels: + app: app + spec: + containers: + - name: container01 + image: nginx + securityContext: + privileged: false +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: gooddeployment03 +spec: + replicas: 1 + selector: + matchLabels: + app: app + template: + metadata: + labels: + app: app + spec: + containers: + - name: container01 + image: nginx + - name: container02 + image: nginx + securityContext: + privileged: false +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: gooddeployment04 +spec: + replicas: 1 + selector: + matchLabels: + app: app + template: + metadata: + labels: + app: app + spec: + initContainers: + - name: initcontainer01 + image: nginx + containers: + - name: container01 + image: nginx +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: gooddeployment05 +spec: + replicas: 1 + selector: + matchLabels: + app: app + template: + metadata: + labels: + app: app + spec: + initContainers: + - name: initcontainer01 + image: nginx + securityContext: + privileged: false + containers: + - name: container01 + image: nginx +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: gooddeployment06 +spec: + replicas: 1 + selector: + matchLabels: + app: app + template: + metadata: + labels: + app: app + spec: + initContainers: + - name: initcontainer01 + image: nginx + securityContext: + privileged: false + - name: initcontainer02 + image: nginx + containers: + - name: container01 + image: nginx + securityContext: + privileged: false +--- +###### CronJobs - Good +apiVersion: batch/v1 +kind: CronJob +metadata: + name: goodcronjob01 +spec: + schedule: "*/1 * * * *" + jobTemplate: + spec: + template: + spec: + restartPolicy: OnFailure + containers: + - name: container01 + image: nginx +--- +apiVersion: batch/v1 +kind: CronJob +metadata: + name: goodcronjob02 +spec: + schedule: "*/1 * * * *" + jobTemplate: + spec: + template: + spec: + restartPolicy: OnFailure + containers: + - name: container01 + image: nginx + securityContext: + privileged: false +--- +apiVersion: batch/v1 +kind: CronJob +metadata: + name: goodcronjob03 +spec: + schedule: "*/1 * * * *" + jobTemplate: + spec: + template: + spec: + restartPolicy: OnFailure + containers: + - name: container01 + image: nginx + - name: container02 + image: nginx + securityContext: + privileged: false +--- +apiVersion: batch/v1 +kind: CronJob +metadata: + name: goodcronjob04 +spec: + schedule: "*/1 * * * *" + jobTemplate: + spec: + template: + spec: + restartPolicy: OnFailure + initContainers: + - name: initcontainer01 + image: nginx + containers: + - name: container01 + image: nginx +--- +apiVersion: batch/v1 +kind: CronJob +metadata: + name: goodcronjob05 +spec: + schedule: "*/1 * * * *" + jobTemplate: + spec: + template: + spec: + restartPolicy: OnFailure + initContainers: + - name: initcontainer01 + image: nginx + securityContext: + privileged: false + containers: + - name: container01 + image: nginx +--- +apiVersion: batch/v1 +kind: CronJob +metadata: + name: goodcronjob06 +spec: + schedule: "*/1 * * * *" + jobTemplate: + spec: + template: + spec: + restartPolicy: OnFailure + initContainers: + - name: initcontainer01 + image: nginx + - name: initcontainer02 + image: nginx + securityContext: + privileged: false + containers: + - name: container01 + image: nginx + securityContext: + privileged: false diff --git a/best-practices/disallow_cri_sock_mount/e2e/policy-assert.yaml b/pod-security/baseline/disallow-privileged-containers/e2e/policy-assert.yaml similarity index 81% rename from best-practices/disallow_cri_sock_mount/e2e/policy-assert.yaml rename to pod-security/baseline/disallow-privileged-containers/e2e/policy-assert.yaml index 63edae2c..3b011ae2 100644 --- a/best-practices/disallow_cri_sock_mount/e2e/policy-assert.yaml +++ b/pod-security/baseline/disallow-privileged-containers/e2e/policy-assert.yaml @@ -1,7 +1,7 @@ apiVersion: kyverno.io/v1 kind: ClusterPolicy metadata: - name: disallow-container-sock-mounts + name: disallow-privileged-containers spec: validationFailureAction: Audit status: diff --git a/pod-security/baseline/disallow-privileged-containers/e2e/remediation-policy-assert.yaml b/pod-security/baseline/disallow-privileged-containers/e2e/remediation-policy-assert.yaml new file mode 100644 index 00000000..43812bdd --- /dev/null +++ b/pod-security/baseline/disallow-privileged-containers/e2e/remediation-policy-assert.yaml @@ -0,0 +1,11 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: remediate-disallow-privileged-containers +spec: + validationFailureAction: Audit +status: + conditions: + - reason: Succeeded + status: "True" + type: Ready diff --git a/pod-security/baseline/disallow-privileged-containers/remediate-disallow-privileged-containers.yaml b/pod-security/baseline/disallow-privileged-containers/remediate-disallow-privileged-containers.yaml index cffea6f8..2defd82c 100644 --- a/pod-security/baseline/disallow-privileged-containers/remediate-disallow-privileged-containers.yaml +++ b/pod-security/baseline/disallow-privileged-containers/remediate-disallow-privileged-containers.yaml @@ -20,12 +20,12 @@ spec: - Job - DaemonSet mutate: - foreach: + foreach: - list: request.object.spec.template.spec.containers[] order: Descending preconditions: all: - - key: "{{ element.securityContext && element.securityContext.privileged }}" + - key: "{{ element.securityContext && element.securityContext.privileged || 'false' }}" operator: Equals value: true patchesJson6902: |- @@ -36,7 +36,7 @@ spec: order: Descending preconditions: all: - - key: "{{ element.securityContext && element.securityContext.privileged }}" + - key: "{{ element.securityContext && element.securityContext.privileged || 'false' }}" operator: Equals value: true patchesJson6902: |- @@ -47,10 +47,10 @@ spec: order: Descending preconditions: all: - - key: "{{ element.securityContext && element.securityContext.privileged }}" + - key: "{{ element.securityContext && element.securityContext.privileged || 'false' }}" operator: Equals value: true patchesJson6902: |- - path: /spec/template/spec/ephemeralContainers/{{elementIndex}}/securityContext/privileged op: replace - value: false \ No newline at end of file + value: false diff --git a/pod-security/baseline/disallow-proc-mount/e2e/bad-resource.yaml b/pod-security/baseline/disallow-proc-mount/e2e/bad-resource.yaml new file mode 100644 index 00000000..5552bda7 --- /dev/null +++ b/pod-security/baseline/disallow-proc-mount/e2e/bad-resource.yaml @@ -0,0 +1,294 @@ +###### Pods - Bad +--- +apiVersion: v1 +kind: Pod +metadata: + name: badpod01 +spec: + containers: + - name: container01 + image: nginx + securityContext: + procMount: "Unmasked" +--- +apiVersion: v1 +kind: Pod +metadata: + name: badpod02 +spec: + containers: + - name: container01 + image: nginx + - name: container02 + image: nginx + securityContext: + procMount: "Unmasked" +--- +apiVersion: v1 +kind: Pod +metadata: + name: badpod03 +spec: + initContainers: + - name: initcontainer01 + image: nginx + securityContext: + procMount: "Unmasked" + containers: + - name: container01 + image: nginx +--- +apiVersion: v1 +kind: Pod +metadata: + name: badpod04 +spec: + initContainers: + - name: initcontainer01 + image: nginx + - name: initcontainer02 + image: nginx + securityContext: + procMount: "Unmasked" + containers: + - name: container01 + image: nginx +--- +apiVersion: v1 +kind: Pod +metadata: + name: badpod05 +spec: + initContainers: + - name: initcontainer01 + image: nginx + - name: initcontainer02 + image: nginx + securityContext: + procMount: "Unmasked" + containers: + - name: container01 + image: nginx + securityContext: + procMount: "Unmasked" +# --- +# ###### Deployments - Bad +# apiVersion: apps/v1 +# kind: Deployment +# metadata: +# name: baddeployment01 +# spec: +# replicas: 1 +# selector: +# matchLabels: +# app: app +# template: +# metadata: +# labels: +# app: app +# spec: +# containers: +# - name: container01 +# image: nginx +# securityContext: +# procMount: "Unmasked" +# --- +# apiVersion: apps/v1 +# kind: Deployment +# metadata: +# name: baddeployment02 +# spec: +# replicas: 1 +# selector: +# matchLabels: +# app: app +# template: +# metadata: +# labels: +# app: app +# spec: +# containers: +# - name: container01 +# image: nginx +# - name: container02 +# image: nginx +# securityContext: +# procMount: "Unmasked" +# --- +# apiVersion: apps/v1 +# kind: Deployment +# metadata: +# name: baddeployment03 +# spec: +# replicas: 1 +# selector: +# matchLabels: +# app: app +# template: +# metadata: +# labels: +# app: app +# spec: +# initContainers: +# - name: initcontainer01 +# image: nginx +# securityContext: +# procMount: "Unmasked" +# containers: +# - name: container01 +# image: nginx +# --- +# apiVersion: apps/v1 +# kind: Deployment +# metadata: +# name: baddeployment04 +# spec: +# replicas: 1 +# selector: +# matchLabels: +# app: app +# template: +# metadata: +# labels: +# app: app +# spec: +# initContainers: +# - name: initcontainer01 +# image: nginx +# - name: initcontainer02 +# image: nginx +# securityContext: +# procMount: "Unmasked" +# containers: +# - name: container01 +# image: nginx +# --- +# apiVersion: apps/v1 +# kind: Deployment +# metadata: +# name: baddeployment05 +# spec: +# replicas: 1 +# selector: +# matchLabels: +# app: app +# template: +# metadata: +# labels: +# app: app +# spec: +# initContainers: +# - name: initcontainer01 +# image: nginx +# - name: initcontainer02 +# image: nginx +# securityContext: +# procMount: "Unmasked" +# containers: +# - name: container01 +# image: nginx +# securityContext: +# procMount: "Unmasked" +# --- +# ###### CronJobs - Bad +# apiVersion: batch/v1 +# kind: CronJob +# metadata: +# name: badcronjob01 +# spec: +# schedule: "*/1 * * * *" +# jobTemplate: +# spec: +# template: +# spec: +# restartPolicy: OnFailure +# containers: +# - name: container01 +# image: nginx +# securityContext: +# procMount: "Unmasked" +# --- +# apiVersion: batch/v1 +# kind: CronJob +# metadata: +# name: badcronjob02 +# spec: +# schedule: "*/1 * * * *" +# jobTemplate: +# spec: +# template: +# spec: +# restartPolicy: OnFailure +# containers: +# - name: container01 +# image: nginx +# - name: container02 +# image: nginx +# securityContext: +# procMount: "Unmasked" +# --- +# apiVersion: batch/v1 +# kind: CronJob +# metadata: +# name: badcronjob03 +# spec: +# schedule: "*/1 * * * *" +# jobTemplate: +# spec: +# template: +# spec: +# restartPolicy: OnFailure +# initContainers: +# - name: initcontainer01 +# image: nginx +# securityContext: +# procMount: "Unmasked" +# containers: +# - name: container01 +# image: nginx +# --- +# apiVersion: batch/v1 +# kind: CronJob +# metadata: +# name: badcronjob04 +# spec: +# schedule: "*/1 * * * *" +# jobTemplate: +# spec: +# template: +# spec: +# restartPolicy: OnFailure +# initContainers: +# - name: initcontainer01 +# image: nginx +# - name: initcontainer02 +# image: nginx +# securityContext: +# procMount: "Unmasked" +# containers: +# - name: container01 +# image: nginx +# --- +# apiVersion: batch/v1 +# kind: CronJob +# metadata: +# name: badcronjob05 +# spec: +# schedule: "*/1 * * * *" +# jobTemplate: +# spec: +# template: +# spec: +# restartPolicy: OnFailure +# initContainers: +# - name: initcontainer01 +# image: nginx +# - name: initcontainer02 +# image: nginx +# securityContext: +# procMount: "Unmasked" +# containers: +# - name: container01 +# image: nginx +# securityContext: +# procMount: "Unmasked" diff --git a/pod-security/baseline/disallow-proc-mount/e2e/chainsaw-test.yaml b/pod-security/baseline/disallow-proc-mount/e2e/chainsaw-test.yaml new file mode 100644 index 00000000..7ab56871 --- /dev/null +++ b/pod-security/baseline/disallow-proc-mount/e2e/chainsaw-test.yaml @@ -0,0 +1,44 @@ +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: Test +metadata: + name: disallow-proc-mount-policy +spec: + steps: + - name: test-disallow-proc-mount + try: + - apply: + file: ../disallow-proc-mount.yaml + - assert: + file: policy-assert.yaml + - apply: + file: ../remediate-disallow-proc-mount.yaml + - assert: + file: remediation-policy-assert.yaml + - apply: + file: ../deployment.yaml + - sleep: + duration: 20s + - assert: + resource: + apiVersion: wgpolicyk8s.io/v1alpha2 + kind: PolicyReport + summary: + error: 0 + fail: 0 + - delete: + ref: + apiVersion: kyverno.io/v1 + kind: ClusterPolicy + name: remediate-disallow-proc-mount + - script: + content: | + sed 's/validationFailureAction: Audit/validationFailureAction: Enforce/' ../disallow-proc-mount.yaml | kubectl apply -f - + - assert: + file: enforce-policy-assert.yaml + - apply: + file: good-resource.yaml + # - apply: + # expect: + # - check: + # ($error != null): true + # file: bad-resource.yaml diff --git a/pod-security/baseline/disallow-proc-mount/e2e/enforce-policy-assert.yaml b/pod-security/baseline/disallow-proc-mount/e2e/enforce-policy-assert.yaml new file mode 100644 index 00000000..e1af728c --- /dev/null +++ b/pod-security/baseline/disallow-proc-mount/e2e/enforce-policy-assert.yaml @@ -0,0 +1,11 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: disallow-proc-mount +spec: + validationFailureAction: Enforce +status: + conditions: + - reason: Succeeded + status: "True" + type: Ready \ No newline at end of file diff --git a/pod-security/baseline/disallow-proc-mount/e2e/good-resource.yaml b/pod-security/baseline/disallow-proc-mount/e2e/good-resource.yaml new file mode 100644 index 00000000..a482363c --- /dev/null +++ b/pod-security/baseline/disallow-proc-mount/e2e/good-resource.yaml @@ -0,0 +1,323 @@ +###### Pods - Good +apiVersion: v1 +kind: Pod +metadata: + name: goodpod01 +spec: + containers: + - name: container01 + image: nginx +--- +apiVersion: v1 +kind: Pod +metadata: + name: goodpod02 +spec: + containers: + - name: container01 + image: nginx + securityContext: + procMount: Default +--- +apiVersion: v1 +kind: Pod +metadata: + name: goodpod03 +spec: + containers: + - name: container01 + image: nginx + - name: container02 + image: nginx + securityContext: + procMount: Default +--- +apiVersion: v1 +kind: Pod +metadata: + name: goodpod04 +spec: + initContainers: + - name: initcontainer01 + image: nginx + containers: + - name: container01 + image: nginx +--- +apiVersion: v1 +kind: Pod +metadata: + name: goodpod05 +spec: + initContainers: + - name: initcontainer01 + image: nginx + securityContext: + procMount: Default + containers: + - name: container01 + image: nginx +--- +apiVersion: v1 +kind: Pod +metadata: + name: goodpod06 +spec: + initContainers: + - name: initcontainer01 + image: nginx + - name: initcontainer02 + image: nginx + securityContext: + procMount: Default + containers: + - name: container01 + image: nginx + securityContext: + procMount: Default +--- +###### Deployments - Good +apiVersion: apps/v1 +kind: Deployment +metadata: + name: gooddeployment01 +spec: + replicas: 1 + selector: + matchLabels: + app: app + template: + metadata: + labels: + app: app + spec: + containers: + - name: container01 + image: nginx +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: gooddeployment02 +spec: + replicas: 1 + selector: + matchLabels: + app: app + template: + metadata: + labels: + app: app + spec: + containers: + - name: container01 + image: nginx + securityContext: + procMount: Default +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: gooddeployment03 +spec: + replicas: 1 + selector: + matchLabels: + app: app + template: + metadata: + labels: + app: app + spec: + containers: + - name: container01 + image: nginx + - name: container02 + image: nginx + securityContext: + procMount: Default +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: gooddeployment04 +spec: + replicas: 1 + selector: + matchLabels: + app: app + template: + metadata: + labels: + app: app + spec: + initContainers: + - name: initcontainer01 + image: nginx + containers: + - name: container01 + image: nginx +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: gooddeployment05 +spec: + replicas: 1 + selector: + matchLabels: + app: app + template: + metadata: + labels: + app: app + spec: + initContainers: + - name: initcontainer01 + image: nginx + securityContext: + procMount: Default + containers: + - name: container01 + image: nginx +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: gooddeployment06 +spec: + replicas: 1 + selector: + matchLabels: + app: app + template: + metadata: + labels: + app: app + spec: + initContainers: + - name: initcontainer01 + image: nginx + securityContext: + procMount: Default + - name: initcontainer02 + image: nginx + containers: + - name: container01 + image: nginx + securityContext: + procMount: Default +--- +###### CronJobs - Good +apiVersion: batch/v1 +kind: CronJob +metadata: + name: goodcronjob01 +spec: + schedule: "*/1 * * * *" + jobTemplate: + spec: + template: + spec: + restartPolicy: OnFailure + containers: + - name: container01 + image: nginx +--- +apiVersion: batch/v1 +kind: CronJob +metadata: + name: goodcronjob02 +spec: + schedule: "*/1 * * * *" + jobTemplate: + spec: + template: + spec: + restartPolicy: OnFailure + containers: + - name: container01 + image: nginx + securityContext: + procMount: Default +--- +apiVersion: batch/v1 +kind: CronJob +metadata: + name: goodcronjob03 +spec: + schedule: "*/1 * * * *" + jobTemplate: + spec: + template: + spec: + restartPolicy: OnFailure + containers: + - name: container01 + image: nginx + - name: container02 + image: nginx + securityContext: + procMount: Default +--- +apiVersion: batch/v1 +kind: CronJob +metadata: + name: goodcronjob04 +spec: + schedule: "*/1 * * * *" + jobTemplate: + spec: + template: + spec: + restartPolicy: OnFailure + initContainers: + - name: initcontainer01 + image: nginx + containers: + - name: container01 + image: nginx +--- +apiVersion: batch/v1 +kind: CronJob +metadata: + name: goodcronjob05 +spec: + schedule: "*/1 * * * *" + jobTemplate: + spec: + template: + spec: + restartPolicy: OnFailure + initContainers: + - name: initcontainer01 + image: nginx + securityContext: + procMount: Default + containers: + - name: container01 + image: nginx +--- +apiVersion: batch/v1 +kind: CronJob +metadata: + name: goodcronjob06 +spec: + schedule: "*/1 * * * *" + jobTemplate: + spec: + template: + spec: + restartPolicy: OnFailure + initContainers: + - name: initcontainer01 + image: nginx + - name: initcontainer02 + image: nginx + securityContext: + procMount: Default + containers: + - name: container01 + image: nginx + securityContext: + procMount: Default diff --git a/pod-security/baseline/disallow-proc-mount/e2e/policy-assert.yaml b/pod-security/baseline/disallow-proc-mount/e2e/policy-assert.yaml new file mode 100644 index 00000000..e8a9a139 --- /dev/null +++ b/pod-security/baseline/disallow-proc-mount/e2e/policy-assert.yaml @@ -0,0 +1,11 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: disallow-proc-mount +spec: + validationFailureAction: Audit +status: + conditions: + - reason: Succeeded + status: "True" + type: Ready diff --git a/pod-security/baseline/disallow-proc-mount/e2e/remediation-policy-assert.yaml b/pod-security/baseline/disallow-proc-mount/e2e/remediation-policy-assert.yaml new file mode 100644 index 00000000..88e067c6 --- /dev/null +++ b/pod-security/baseline/disallow-proc-mount/e2e/remediation-policy-assert.yaml @@ -0,0 +1,11 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: remediate-disallow-proc-mount +spec: + validationFailureAction: Audit +status: + conditions: + - reason: Succeeded + status: "True" + type: Ready diff --git a/pod-security/baseline/disallow-selinux/e2e/bad-resource.yaml b/pod-security/baseline/disallow-selinux/e2e/bad-resource.yaml new file mode 100644 index 00000000..85da92f3 --- /dev/null +++ b/pod-security/baseline/disallow-selinux/e2e/bad-resource.yaml @@ -0,0 +1,1450 @@ +######################## +## Rule: selinux-type ## +######################## +###### Pods - Bad +--- +apiVersion: v1 +kind: Pod +metadata: + name: badpod01 +spec: + containers: + - name: container01 + image: nginx + securityContext: + seLinuxOptions: + type: spc_t +--- +apiVersion: v1 +kind: Pod +metadata: + name: badpod02 +spec: + containers: + - name: container01 + image: nginx + securityContext: + seLinuxOptions: + type: spc_t +--- +apiVersion: v1 +kind: Pod +metadata: + name: badpod03 +spec: + containers: + - name: container01 + image: nginx + - name: container02 + image: nginx + securityContext: + seLinuxOptions: + type: spc_t +--- +apiVersion: v1 +kind: Pod +metadata: + name: badpod04 +spec: + containers: + - name: container01 + image: nginx + securityContext: + seLinuxOptions: + type: container_kvm_t + - name: container02 + image: nginx + securityContext: + seLinuxOptions: + type: spc_t +--- +apiVersion: v1 +kind: Pod +metadata: + name: badpod05 +spec: + initContainers: + - name: initcontainer01 + image: nginx + securityContext: + seLinuxOptions: + type: spc_t + containers: + - name: container01 + image: nginx +--- +apiVersion: v1 +kind: Pod +metadata: + name: badpod06 +spec: + initContainers: + - name: initcontainer01 + image: nginx + - name: initcontainer02 + image: nginx + securityContext: + seLinuxOptions: + type: spc_t + containers: + - name: container01 + image: nginx +--- +apiVersion: v1 +kind: Pod +metadata: + name: badpod07 +spec: + initContainers: + - name: initcontainer01 + image: nginx + securityContext: + seLinuxOptions: + type: container_kvm_t + - name: initcontainer02 + image: nginx + securityContext: + seLinuxOptions: + type: spc_t + containers: + - name: container01 + image: nginx +--- +###### Deployments - Bad +apiVersion: apps/v1 +kind: Deployment +metadata: + name: baddeployment01 +spec: + replicas: 1 + selector: + matchLabels: + app: app + template: + metadata: + labels: + app: app + spec: + containers: + - name: container01 + image: nginx + securityContext: + seLinuxOptions: + type: spc_t +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: baddeployment02 +spec: + replicas: 1 + selector: + matchLabels: + app: app + template: + metadata: + labels: + app: app + spec: + containers: + - name: container01 + image: nginx + securityContext: + seLinuxOptions: + type: spc_t +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: baddeployment03 +spec: + replicas: 1 + selector: + matchLabels: + app: app + template: + metadata: + labels: + app: app + spec: + containers: + - name: container01 + image: nginx + - name: container02 + image: nginx + securityContext: + seLinuxOptions: + type: spc_t +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: baddeployment04 +spec: + replicas: 1 + selector: + matchLabels: + app: app + template: + metadata: + labels: + app: app + spec: + containers: + - name: container01 + image: nginx + securityContext: + seLinuxOptions: + type: container_kvm_t + - name: container02 + image: nginx + securityContext: + seLinuxOptions: + type: spc_t +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: baddeployment05 +spec: + replicas: 1 + selector: + matchLabels: + app: app + template: + metadata: + labels: + app: app + spec: + initContainers: + - name: initcontainer01 + image: nginx + securityContext: + seLinuxOptions: + type: spc_t + containers: + - name: container01 + image: nginx +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: baddeployment06 +spec: + replicas: 1 + selector: + matchLabels: + app: app + template: + metadata: + labels: + app: app + spec: + initContainers: + - name: initcontainer01 + image: nginx + - name: initcontainer02 + image: nginx + securityContext: + seLinuxOptions: + type: spc_t + containers: + - name: container01 + image: nginx +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: baddeployment07 +spec: + replicas: 1 + selector: + matchLabels: + app: app + template: + metadata: + labels: + app: app + spec: + initContainers: + - name: initcontainer01 + image: nginx + securityContext: + seLinuxOptions: + type: container_kvm_t + - name: initcontainer02 + image: nginx + securityContext: + seLinuxOptions: + type: spc_t + containers: + - name: container01 + image: nginx +--- +###### CronJobs - Bad +apiVersion: batch/v1 +kind: CronJob +metadata: + name: badcronjob01 +spec: + schedule: "*/1 * * * *" + jobTemplate: + spec: + template: + spec: + restartPolicy: OnFailure + containers: + - name: container01 + image: nginx + securityContext: + seLinuxOptions: + type: spc_t +--- +apiVersion: batch/v1 +kind: CronJob +metadata: + name: badcronjob02 +spec: + schedule: "*/1 * * * *" + jobTemplate: + spec: + template: + spec: + restartPolicy: OnFailure + containers: + - name: container01 + image: nginx + securityContext: + seLinuxOptions: + type: spc_t +--- +apiVersion: batch/v1 +kind: CronJob +metadata: + name: badcronjob03 +spec: + schedule: "*/1 * * * *" + jobTemplate: + spec: + template: + spec: + restartPolicy: OnFailure + containers: + - name: container01 + image: nginx + - name: container02 + image: nginx + securityContext: + seLinuxOptions: + type: spc_t +--- +apiVersion: batch/v1 +kind: CronJob +metadata: + name: badcronjob04 +spec: + schedule: "*/1 * * * *" + jobTemplate: + spec: + template: + spec: + restartPolicy: OnFailure + containers: + - name: container01 + image: nginx + securityContext: + seLinuxOptions: + type: container_kvm_t + - name: container02 + image: nginx + securityContext: + seLinuxOptions: + type: spc_t +--- +apiVersion: batch/v1 +kind: CronJob +metadata: + name: badcronjob05 +spec: + schedule: "*/1 * * * *" + jobTemplate: + spec: + template: + spec: + restartPolicy: OnFailure + initContainers: + - name: initcontainer01 + image: nginx + securityContext: + seLinuxOptions: + type: spc_t + containers: + - name: container01 + image: nginx +--- +apiVersion: batch/v1 +kind: CronJob +metadata: + name: badcronjob06 +spec: + schedule: "*/1 * * * *" + jobTemplate: + spec: + template: + spec: + restartPolicy: OnFailure + initContainers: + - name: initcontainer01 + image: nginx + - name: initcontainer02 + image: nginx + securityContext: + seLinuxOptions: + type: spc_t + containers: + - name: container01 + image: nginx +--- +apiVersion: batch/v1 +kind: CronJob +metadata: + name: badcronjob07 +spec: + schedule: "*/1 * * * *" + jobTemplate: + spec: + template: + spec: + restartPolicy: OnFailure + initContainers: + - name: initcontainer01 + image: nginx + securityContext: + seLinuxOptions: + type: container_kvm_t + - name: initcontainer02 + image: nginx + securityContext: + seLinuxOptions: + type: spc_t + containers: + - name: container01 + image: nginx +--- +############################# +## Rule: selinux-user-role ## +############################# +###### Pods - Bad +--- +apiVersion: v1 +kind: Pod +metadata: + name: selur-badpod01 +spec: + containers: + - name: container01 + image: nginx + securityContext: + seLinuxOptions: + user: sysadm_u +--- +apiVersion: v1 +kind: Pod +metadata: + name: selur-badpod02 +spec: + containers: + - name: container01 + image: nginx + securityContext: + seLinuxOptions: + role: sysadm_r +--- +apiVersion: v1 +kind: Pod +metadata: + name: selur-badpod03 +spec: + containers: + - name: container01 + image: nginx + securityContext: + seLinuxOptions: + user: sysadm_u + role: sysadm_r +--- +apiVersion: v1 +kind: Pod +metadata: + name: selur-badpod04 +spec: + containers: + - name: container01 + image: nginx + securityContext: + seLinuxOptions: + user: sysadm_u +--- +apiVersion: v1 +kind: Pod +metadata: + name: selur-badpod05 +spec: + containers: + - name: container01 + image: nginx + securityContext: + seLinuxOptions: + role: sysadm_r +--- +apiVersion: v1 +kind: Pod +metadata: + name: selur-badpod06 +spec: + containers: + - name: container01 + image: nginx + securityContext: + seLinuxOptions: + user: sysadm_u + role: sysadm_r +--- +apiVersion: v1 +kind: Pod +metadata: + name: selur-badpod07 +spec: + containers: + - name: container01 + image: nginx + - name: container02 + image: nginx + securityContext: + seLinuxOptions: + user: sysadm_u +--- +apiVersion: v1 +kind: Pod +metadata: + name: selur-badpod08 +spec: + containers: + - name: container01 + image: nginx + - name: container02 + image: nginx + securityContext: + seLinuxOptions: + role: sysadm_r +--- +apiVersion: v1 +kind: Pod +metadata: + name: selur-badpod09 +spec: + containers: + - name: container01 + image: nginx + - name: container02 + image: nginx + securityContext: + seLinuxOptions: + user: sysadm_u + role: sysadm_r +--- +apiVersion: v1 +kind: Pod +metadata: + name: selur-badpod10 +spec: + containers: + - name: container01 + image: nginx + securityContext: + seLinuxOptions: + type: unconfined_t + - name: container02 + image: nginx + securityContext: + seLinuxOptions: + user: sysadm_u +--- +apiVersion: v1 +kind: Pod +metadata: + name: selur-badpod11 +spec: + initContainers: + - name: initcontainer01 + image: nginx + securityContext: + seLinuxOptions: + user: sysadm_u + containers: + - name: container01 + image: nginx +--- +apiVersion: v1 +kind: Pod +metadata: + name: selur-badpod12 +spec: + initContainers: + - name: initcontainer01 + image: nginx + securityContext: + seLinuxOptions: + role: sysadm_r + containers: + - name: container01 + image: nginx +--- +apiVersion: v1 +kind: Pod +metadata: + name: selur-badpod13 +spec: + initContainers: + - name: initcontainer01 + image: nginx + securityContext: + seLinuxOptions: + user: sysadm_u + role: sysadm_r + containers: + - name: container01 + image: nginx +--- +apiVersion: v1 +kind: Pod +metadata: + name: selur-badpod14 +spec: + initContainers: + - name: initcontainer02 + image: nginx + - name: initcontainer01 + image: nginx + securityContext: + seLinuxOptions: + user: sysadm_u + containers: + - name: container01 + image: nginx +--- +apiVersion: v1 +kind: Pod +metadata: + name: selur-badpod15 +spec: + initContainers: + - name: initcontainer02 + image: nginx + - name: initcontainer01 + image: nginx + securityContext: + seLinuxOptions: + role: sysadm_r + containers: + - name: container01 + image: nginx +--- +apiVersion: v1 +kind: Pod +metadata: + name: selur-badpod16 +spec: + initContainers: + - name: initcontainer02 + image: nginx + - name: initcontainer01 + image: nginx + securityContext: + seLinuxOptions: + user: sysadm_u + role: sysadm_r + containers: + - name: container01 + image: nginx +--- +apiVersion: v1 +kind: Pod +metadata: + name: selur-badpod17 +spec: + initContainers: + - name: initcontainer02 + image: nginx + securityContext: + seLinuxOptions: + type: container_init_t + - name: initcontainer01 + image: nginx + securityContext: + seLinuxOptions: + user: sysadm_u + containers: + - name: container01 + image: nginx +--- +###### Deployments - Bad +apiVersion: apps/v1 +kind: Deployment +metadata: + name: selur-baddeployment01 +spec: + replicas: 1 + selector: + matchLabels: + app: app + template: + metadata: + labels: + app: app + spec: + containers: + - name: container01 + image: nginx + securityContext: + seLinuxOptions: + user: sysadm_u +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: selur-baddeployment02 +spec: + replicas: 1 + selector: + matchLabels: + app: app + template: + metadata: + labels: + app: app + spec: + containers: + - name: container01 + image: nginx + securityContext: + seLinuxOptions: + role: sysadm_r +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: selur-baddeployment03 +spec: + replicas: 1 + selector: + matchLabels: + app: app + template: + metadata: + labels: + app: app + spec: + containers: + - name: container01 + image: nginx + securityContext: + seLinuxOptions: + user: sysadm_u + role: sysadm_r +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: selur-baddeployment04 +spec: + replicas: 1 + selector: + matchLabels: + app: app + template: + metadata: + labels: + app: app + spec: + containers: + - name: container01 + image: nginx + securityContext: + seLinuxOptions: + user: sysadm_u +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: selur-baddeployment05 +spec: + replicas: 1 + selector: + matchLabels: + app: app + template: + metadata: + labels: + app: app + spec: + containers: + - name: container01 + image: nginx + securityContext: + seLinuxOptions: + role: sysadm_r +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: selur-baddeployment06 +spec: + replicas: 1 + selector: + matchLabels: + app: app + template: + metadata: + labels: + app: app + spec: + containers: + - name: container01 + image: nginx + securityContext: + seLinuxOptions: + user: sysadm_u + role: sysadm_r +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: selur-baddeployment07 +spec: + replicas: 1 + selector: + matchLabels: + app: app + template: + metadata: + labels: + app: app + spec: + containers: + - name: container01 + image: nginx + - name: container02 + image: nginx + securityContext: + seLinuxOptions: + user: sysadm_u +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: selur-baddeployment08 +spec: + replicas: 1 + selector: + matchLabels: + app: app + template: + metadata: + labels: + app: app + spec: + containers: + - name: container01 + image: nginx + - name: container02 + image: nginx + securityContext: + seLinuxOptions: + role: sysadm_r +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: selur-baddeployment09 +spec: + replicas: 1 + selector: + matchLabels: + app: app + template: + metadata: + labels: + app: app + spec: + containers: + - name: container01 + image: nginx + - name: container02 + image: nginx + securityContext: + seLinuxOptions: + user: sysadm_u + role: sysadm_r +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: selur-baddeployment10 +spec: + replicas: 1 + selector: + matchLabels: + app: app + template: + metadata: + labels: + app: app + spec: + containers: + - name: container01 + image: nginx + securityContext: + seLinuxOptions: + type: unconfined_t + - name: container02 + image: nginx + securityContext: + seLinuxOptions: + user: sysadm_u +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: selur-baddeployment11 +spec: + replicas: 1 + selector: + matchLabels: + app: app + template: + metadata: + labels: + app: app + spec: + initContainers: + - name: initcontainer01 + image: nginx + securityContext: + seLinuxOptions: + user: sysadm_u + containers: + - name: container01 + image: nginx +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: selur-baddeployment12 +spec: + replicas: 1 + selector: + matchLabels: + app: app + template: + metadata: + labels: + app: app + spec: + initContainers: + - name: initcontainer01 + image: nginx + securityContext: + seLinuxOptions: + role: sysadm_r + containers: + - name: container01 + image: nginx +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: selur-baddeployment13 +spec: + replicas: 1 + selector: + matchLabels: + app: app + template: + metadata: + labels: + app: app + spec: + initContainers: + - name: initcontainer01 + image: nginx + securityContext: + seLinuxOptions: + user: sysadm_u + role: sysadm_r + containers: + - name: container01 + image: nginx +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: selur-baddeployment14 +spec: + replicas: 1 + selector: + matchLabels: + app: app + template: + metadata: + labels: + app: app + spec: + initContainers: + - name: initcontainer02 + image: nginx + - name: initcontainer01 + image: nginx + securityContext: + seLinuxOptions: + user: sysadm_u + containers: + - name: container01 + image: nginx +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: selur-baddeployment15 +spec: + replicas: 1 + selector: + matchLabels: + app: app + template: + metadata: + labels: + app: app + spec: + initContainers: + - name: initcontainer02 + image: nginx + - name: initcontainer01 + image: nginx + securityContext: + seLinuxOptions: + role: sysadm_r + containers: + - name: container01 + image: nginx +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: selur-baddeployment16 +spec: + replicas: 1 + selector: + matchLabels: + app: app + template: + metadata: + labels: + app: app + spec: + initContainers: + - name: initcontainer02 + image: nginx + - name: initcontainer01 + image: nginx + securityContext: + seLinuxOptions: + user: sysadm_u + role: sysadm_r + containers: + - name: container01 + image: nginx +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: selur-baddeployment17 +spec: + replicas: 1 + selector: + matchLabels: + app: app + template: + metadata: + labels: + app: app + spec: + initContainers: + - name: initcontainer02 + image: nginx + securityContext: + seLinuxOptions: + type: container_init_t + - name: initcontainer01 + image: nginx + securityContext: + seLinuxOptions: + user: sysadm_u + containers: + - name: container01 + image: nginx +--- +###### CronJobs - Bad +apiVersion: batch/v1 +kind: CronJob +metadata: + name: selur-badcronjob01 +spec: + schedule: "*/1 * * * *" + jobTemplate: + spec: + template: + spec: + restartPolicy: OnFailure + containers: + - name: container01 + image: nginx + securityContext: + seLinuxOptions: + user: sysadm_u +--- +apiVersion: batch/v1 +kind: CronJob +metadata: + name: selur-badcronjob02 +spec: + schedule: "*/1 * * * *" + jobTemplate: + spec: + template: + spec: + restartPolicy: OnFailure + containers: + - name: container01 + image: nginx + securityContext: + seLinuxOptions: + role: sysadm_r +--- +apiVersion: batch/v1 +kind: CronJob +metadata: + name: selur-badcronjob03 +spec: + schedule: "*/1 * * * *" + jobTemplate: + spec: + template: + spec: + restartPolicy: OnFailure + containers: + - name: container01 + image: nginx + securityContext: + seLinuxOptions: + user: sysadm_u + role: sysadm_r +--- +apiVersion: batch/v1 +kind: CronJob +metadata: + name: selur-badcronjob04 +spec: + schedule: "*/1 * * * *" + jobTemplate: + spec: + template: + spec: + restartPolicy: OnFailure + containers: + - name: container01 + image: nginx + securityContext: + seLinuxOptions: + user: sysadm_u +--- +apiVersion: batch/v1 +kind: CronJob +metadata: + name: selur-badcronjob05 +spec: + schedule: "*/1 * * * *" + jobTemplate: + spec: + template: + spec: + restartPolicy: OnFailure + containers: + - name: container01 + image: nginx + securityContext: + seLinuxOptions: + role: sysadm_r +--- +apiVersion: batch/v1 +kind: CronJob +metadata: + name: selur-badcronjob06 +spec: + schedule: "*/1 * * * *" + jobTemplate: + spec: + template: + spec: + restartPolicy: OnFailure + containers: + - name: container01 + image: nginx + securityContext: + seLinuxOptions: + user: sysadm_u + role: sysadm_r +--- +apiVersion: batch/v1 +kind: CronJob +metadata: + name: selur-badcronjob07 +spec: + schedule: "*/1 * * * *" + jobTemplate: + spec: + template: + spec: + restartPolicy: OnFailure + containers: + - name: container01 + image: nginx + - name: container02 + image: nginx + securityContext: + seLinuxOptions: + user: sysadm_u +--- +apiVersion: batch/v1 +kind: CronJob +metadata: + name: selur-badcronjob08 +spec: + schedule: "*/1 * * * *" + jobTemplate: + spec: + template: + spec: + restartPolicy: OnFailure + containers: + - name: container01 + image: nginx + - name: container02 + image: nginx + securityContext: + seLinuxOptions: + role: sysadm_r +--- +apiVersion: batch/v1 +kind: CronJob +metadata: + name: selur-badcronjob09 +spec: + schedule: "*/1 * * * *" + jobTemplate: + spec: + template: + spec: + restartPolicy: OnFailure + containers: + - name: container01 + image: nginx + - name: container02 + image: nginx + securityContext: + seLinuxOptions: + user: sysadm_u + role: sysadm_r +--- +apiVersion: batch/v1 +kind: CronJob +metadata: + name: selur-badcronjob10 +spec: + schedule: "*/1 * * * *" + jobTemplate: + spec: + template: + spec: + restartPolicy: OnFailure + containers: + - name: container01 + image: nginx + securityContext: + seLinuxOptions: + type: unconfined_t + - name: container02 + image: nginx + securityContext: + seLinuxOptions: + user: sysadm_u +--- +apiVersion: batch/v1 +kind: CronJob +metadata: + name: selur-badcronjob11 +spec: + schedule: "*/1 * * * *" + jobTemplate: + spec: + template: + spec: + restartPolicy: OnFailure + initContainers: + - name: initcontainer01 + image: nginx + securityContext: + seLinuxOptions: + user: sysadm_u + containers: + - name: container01 + image: nginx +--- +apiVersion: batch/v1 +kind: CronJob +metadata: + name: selur-badcronjob12 +spec: + schedule: "*/1 * * * *" + jobTemplate: + spec: + template: + spec: + restartPolicy: OnFailure + initContainers: + - name: initcontainer01 + image: nginx + securityContext: + seLinuxOptions: + role: sysadm_r + containers: + - name: container01 + image: nginx +--- +apiVersion: batch/v1 +kind: CronJob +metadata: + name: selur-badcronjob13 +spec: + schedule: "*/1 * * * *" + jobTemplate: + spec: + template: + spec: + restartPolicy: OnFailure + initContainers: + - name: initcontainer01 + image: nginx + securityContext: + seLinuxOptions: + user: sysadm_u + role: sysadm_r + containers: + - name: container01 + image: nginx +--- +apiVersion: batch/v1 +kind: CronJob +metadata: + name: selur-badcronjob14 +spec: + schedule: "*/1 * * * *" + jobTemplate: + spec: + template: + spec: + restartPolicy: OnFailure + initContainers: + - name: initcontainer02 + image: nginx + - name: initcontainer01 + image: nginx + securityContext: + seLinuxOptions: + user: sysadm_u + containers: + - name: container01 + image: nginx +--- +apiVersion: batch/v1 +kind: CronJob +metadata: + name: selur-badcronjob15 +spec: + schedule: "*/1 * * * *" + jobTemplate: + spec: + template: + spec: + restartPolicy: OnFailure + initContainers: + - name: initcontainer02 + image: nginx + - name: initcontainer01 + image: nginx + securityContext: + seLinuxOptions: + role: sysadm_r + containers: + - name: container01 + image: nginx +--- +apiVersion: batch/v1 +kind: CronJob +metadata: + name: selur-badcronjob16 +spec: + schedule: "*/1 * * * *" + jobTemplate: + spec: + template: + spec: + restartPolicy: OnFailure + initContainers: + - name: initcontainer02 + image: nginx + - name: initcontainer01 + image: nginx + securityContext: + seLinuxOptions: + user: sysadm_u + role: sysadm_r + containers: + - name: container01 + image: nginx +--- +apiVersion: batch/v1 +kind: CronJob +metadata: + name: selur-badcronjob17 +spec: + schedule: "*/1 * * * *" + jobTemplate: + spec: + template: + spec: + restartPolicy: OnFailure + initContainers: + - name: initcontainer02 + image: nginx + securityContext: + seLinuxOptions: + type: container_init_t + - name: initcontainer01 + image: nginx + securityContext: + seLinuxOptions: + user: sysadm_u + containers: + - name: container01 + image: nginx diff --git a/pod-security/baseline/disallow-selinux/e2e/chainsaw-test.yaml b/pod-security/baseline/disallow-selinux/e2e/chainsaw-test.yaml new file mode 100644 index 00000000..cb9d1433 --- /dev/null +++ b/pod-security/baseline/disallow-selinux/e2e/chainsaw-test.yaml @@ -0,0 +1,24 @@ +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: Test +metadata: + name: disallow-selinux-policy +spec: + steps: + - name: test-disallow-selinux + try: + - apply: + file: ../disallow-selinux.yaml + - assert: + file: policy-assert.yaml + - script: + content: | + sed 's/validationFailureAction: Audit/validationFailureAction: Enforce/' ../disallow-selinux.yaml | kubectl apply -f - + - assert: + file: enforce-policy-assert.yaml + - apply: + file: good-resource.yaml + - apply: + expect: + - check: + ($error != null): true + file: bad-resource.yaml diff --git a/best-practices/require_drop_cap_net_raw/e2e/03-enforce-policy-assert.yaml b/pod-security/baseline/disallow-selinux/e2e/enforce-policy-assert.yaml similarity index 79% rename from best-practices/require_drop_cap_net_raw/e2e/03-enforce-policy-assert.yaml rename to pod-security/baseline/disallow-selinux/e2e/enforce-policy-assert.yaml index b2704d10..12885f74 100644 --- a/best-practices/require_drop_cap_net_raw/e2e/03-enforce-policy-assert.yaml +++ b/pod-security/baseline/disallow-selinux/e2e/enforce-policy-assert.yaml @@ -1,11 +1,11 @@ apiVersion: kyverno.io/v1 kind: ClusterPolicy metadata: - name: drop-cap-net-raw + name: disallow-selinux spec: validationFailureAction: Enforce status: conditions: - reason: Succeeded status: "True" - type: Ready + type: Ready \ No newline at end of file diff --git a/pod-security/baseline/disallow-selinux/e2e/good-resource.yaml b/pod-security/baseline/disallow-selinux/e2e/good-resource.yaml new file mode 100644 index 00000000..9b0f0908 --- /dev/null +++ b/pod-security/baseline/disallow-selinux/e2e/good-resource.yaml @@ -0,0 +1,1439 @@ +######################## +## Rule: selinux-type ## +######################## +###### Pods - Good +apiVersion: v1 +kind: Pod +metadata: + name: goodpod01 +spec: + containers: + - name: container01 + image: nginx +--- +apiVersion: v1 +kind: Pod +metadata: + name: goodpod02 +spec: + containers: + - name: container01 + image: nginx + securityContext: + seLinuxOptions: + type: container_t +--- +apiVersion: v1 +kind: Pod +metadata: + name: goodpod03 +spec: + containers: + - name: container01 + image: nginx + securityContext: + seLinuxOptions: + type: container_init_t +--- +apiVersion: v1 +kind: Pod +metadata: + name: goodpod04 +spec: + containers: + - name: container01 + image: nginx + securityContext: + seLinuxOptions: + type: container_kvm_t +--- +apiVersion: v1 +kind: Pod +metadata: + name: goodpod05 +spec: + containers: + - name: container01 + image: nginx + securityContext: + seLinuxOptions: + type: container_t +--- +apiVersion: v1 +kind: Pod +metadata: + name: goodpod06 +spec: + containers: + - name: container01 + image: nginx + securityContext: + seLinuxOptions: + type: container_init_t +--- +apiVersion: v1 +kind: Pod +metadata: + name: goodpod07 +spec: + containers: + - name: container01 + image: nginx + securityContext: + seLinuxOptions: + type: container_kvm_t +--- +apiVersion: v1 +kind: Pod +metadata: + name: goodpod08 +spec: + containers: + - name: container01 + image: nginx + - name: container02 + image: nginx + securityContext: + seLinuxOptions: + type: container_kvm_t +--- +apiVersion: v1 +kind: Pod +metadata: + name: goodpod09 +spec: + containers: + - name: container01 + image: nginx + securityContext: + seLinuxOptions: + type: container_t + - name: container02 + image: nginx + securityContext: + seLinuxOptions: + type: container_kvm_t +--- +apiVersion: v1 +kind: Pod +metadata: + name: goodpod10 +spec: + initContainers: + - name: initcontainer01 + image: nginx + securityContext: + seLinuxOptions: + type: container_t + containers: + - name: container01 + image: nginx +--- +apiVersion: v1 +kind: Pod +metadata: + name: goodpod11 +spec: + initContainers: + - name: initcontainer01 + image: nginx + securityContext: + seLinuxOptions: + type: container_init_t + containers: + - name: container01 + image: nginx +--- +apiVersion: v1 +kind: Pod +metadata: + name: goodpod12 +spec: + initContainers: + - name: initcontainer01 + image: nginx + securityContext: + seLinuxOptions: + type: container_kvm_t + containers: + - name: container01 + image: nginx +--- +apiVersion: v1 +kind: Pod +metadata: + name: goodpod13 +spec: + initContainers: + - name: initcontainer01 + image: nginx + - name: initcontainer02 + image: nginx + securityContext: + seLinuxOptions: + type: container_t + containers: + - name: container01 + image: nginx +--- +apiVersion: v1 +kind: Pod +metadata: + name: goodpod14 +spec: + initContainers: + - name: initcontainer01 + image: nginx + securityContext: + seLinuxOptions: + type: container_init_t + - name: initcontainer02 + image: nginx + securityContext: + seLinuxOptions: + type: container_t + containers: + - name: container01 + image: nginx +--- +###### Deployments - Good +apiVersion: apps/v1 +kind: Deployment +metadata: + name: gooddeployment01 +spec: + replicas: 1 + selector: + matchLabels: + app: app + template: + metadata: + labels: + app: app + spec: + containers: + - name: container01 + image: nginx +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: gooddeployment02 +spec: + replicas: 1 + selector: + matchLabels: + app: app + template: + metadata: + labels: + app: app + spec: + containers: + - name: container01 + image: nginx + securityContext: + seLinuxOptions: + type: container_t +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: gooddeployment03 +spec: + replicas: 1 + selector: + matchLabels: + app: app + template: + metadata: + labels: + app: app + spec: + containers: + - name: container01 + image: nginx + securityContext: + seLinuxOptions: + type: container_init_t +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: gooddeployment04 +spec: + replicas: 1 + selector: + matchLabels: + app: app + template: + metadata: + labels: + app: app + spec: + containers: + - name: container01 + image: nginx + securityContext: + seLinuxOptions: + type: container_kvm_t +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: gooddeployment05 +spec: + replicas: 1 + selector: + matchLabels: + app: app + template: + metadata: + labels: + app: app + spec: + containers: + - name: container01 + image: nginx + securityContext: + seLinuxOptions: + type: container_t +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: gooddeployment06 +spec: + replicas: 1 + selector: + matchLabels: + app: app + template: + metadata: + labels: + app: app + spec: + containers: + - name: container01 + image: nginx + securityContext: + seLinuxOptions: + type: container_init_t +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: gooddeployment07 +spec: + replicas: 1 + selector: + matchLabels: + app: app + template: + metadata: + labels: + app: app + spec: + containers: + - name: container01 + image: nginx + securityContext: + seLinuxOptions: + type: container_kvm_t +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: gooddeployment08 +spec: + replicas: 1 + selector: + matchLabels: + app: app + template: + metadata: + labels: + app: app + spec: + containers: + - name: container01 + image: nginx + - name: container02 + image: nginx + securityContext: + seLinuxOptions: + type: container_kvm_t +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: gooddeployment09 +spec: + replicas: 1 + selector: + matchLabels: + app: app + template: + metadata: + labels: + app: app + spec: + containers: + - name: container01 + image: nginx + securityContext: + seLinuxOptions: + type: container_t + - name: container02 + image: nginx + securityContext: + seLinuxOptions: + type: container_kvm_t +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: gooddeployment10 +spec: + replicas: 1 + selector: + matchLabels: + app: app + template: + metadata: + labels: + app: app + spec: + initContainers: + - name: initcontainer01 + image: nginx + securityContext: + seLinuxOptions: + type: container_t + containers: + - name: container01 + image: nginx +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: gooddeployment11 +spec: + replicas: 1 + selector: + matchLabels: + app: app + template: + metadata: + labels: + app: app + spec: + initContainers: + - name: initcontainer01 + image: nginx + securityContext: + seLinuxOptions: + type: container_init_t + containers: + - name: container01 + image: nginx +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: gooddeployment12 +spec: + replicas: 1 + selector: + matchLabels: + app: app + template: + metadata: + labels: + app: app + spec: + initContainers: + - name: initcontainer01 + image: nginx + securityContext: + seLinuxOptions: + type: container_kvm_t + containers: + - name: container01 + image: nginx +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: gooddeployment13 +spec: + replicas: 1 + selector: + matchLabels: + app: app + template: + metadata: + labels: + app: app + spec: + initContainers: + - name: initcontainer01 + image: nginx + - name: initcontainer02 + image: nginx + securityContext: + seLinuxOptions: + type: container_t + containers: + - name: container01 + image: nginx +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: gooddeployment14 +spec: + replicas: 1 + selector: + matchLabels: + app: app + template: + metadata: + labels: + app: app + spec: + initContainers: + - name: initcontainer01 + image: nginx + securityContext: + seLinuxOptions: + type: container_init_t + - name: initcontainer02 + image: nginx + securityContext: + seLinuxOptions: + type: container_t + containers: + - name: container01 + image: nginx +--- +###### CronJobs - Good +apiVersion: batch/v1 +kind: CronJob +metadata: + name: goodcronjob01 +spec: + schedule: "*/1 * * * *" + jobTemplate: + spec: + template: + spec: + restartPolicy: OnFailure + containers: + - name: container01 + image: nginx +--- +apiVersion: batch/v1 +kind: CronJob +metadata: + name: goodcronjob02 +spec: + schedule: "*/1 * * * *" + jobTemplate: + spec: + template: + spec: + restartPolicy: OnFailure + containers: + - name: container01 + image: nginx + securityContext: + seLinuxOptions: + type: container_t +--- +apiVersion: batch/v1 +kind: CronJob +metadata: + name: goodcronjob03 +spec: + schedule: "*/1 * * * *" + jobTemplate: + spec: + template: + spec: + restartPolicy: OnFailure + containers: + - name: container01 + image: nginx + securityContext: + seLinuxOptions: + type: container_init_t +--- +apiVersion: batch/v1 +kind: CronJob +metadata: + name: goodcronjob04 +spec: + schedule: "*/1 * * * *" + jobTemplate: + spec: + template: + spec: + restartPolicy: OnFailure + containers: + - name: container01 + image: nginx + securityContext: + seLinuxOptions: + type: container_kvm_t +--- +apiVersion: batch/v1 +kind: CronJob +metadata: + name: goodcronjob05 +spec: + schedule: "*/1 * * * *" + jobTemplate: + spec: + template: + spec: + restartPolicy: OnFailure + containers: + - name: container01 + image: nginx + securityContext: + seLinuxOptions: + type: container_t +--- +apiVersion: batch/v1 +kind: CronJob +metadata: + name: goodcronjob06 +spec: + schedule: "*/1 * * * *" + jobTemplate: + spec: + template: + spec: + restartPolicy: OnFailure + containers: + - name: container01 + image: nginx + securityContext: + seLinuxOptions: + type: container_init_t +--- +apiVersion: batch/v1 +kind: CronJob +metadata: + name: goodcronjob07 +spec: + schedule: "*/1 * * * *" + jobTemplate: + spec: + template: + spec: + restartPolicy: OnFailure + containers: + - name: container01 + image: nginx + securityContext: + seLinuxOptions: + type: container_kvm_t +--- +apiVersion: batch/v1 +kind: CronJob +metadata: + name: goodcronjob08 +spec: + schedule: "*/1 * * * *" + jobTemplate: + spec: + template: + spec: + restartPolicy: OnFailure + containers: + - name: container01 + image: nginx + - name: container02 + image: nginx + securityContext: + seLinuxOptions: + type: container_kvm_t +--- +apiVersion: batch/v1 +kind: CronJob +metadata: + name: goodcronjob09 +spec: + schedule: "*/1 * * * *" + jobTemplate: + spec: + template: + spec: + restartPolicy: OnFailure + containers: + - name: container01 + image: nginx + securityContext: + seLinuxOptions: + type: container_t + - name: container02 + image: nginx + securityContext: + seLinuxOptions: + type: container_kvm_t +--- +apiVersion: batch/v1 +kind: CronJob +metadata: + name: goodcronjob10 +spec: + schedule: "*/1 * * * *" + jobTemplate: + spec: + template: + spec: + restartPolicy: OnFailure + initContainers: + - name: initcontainer01 + image: nginx + securityContext: + seLinuxOptions: + type: container_t + containers: + - name: container01 + image: nginx +--- +apiVersion: batch/v1 +kind: CronJob +metadata: + name: goodcronjob11 +spec: + schedule: "*/1 * * * *" + jobTemplate: + spec: + template: + spec: + restartPolicy: OnFailure + initContainers: + - name: initcontainer01 + image: nginx + securityContext: + seLinuxOptions: + type: container_init_t + containers: + - name: container01 + image: nginx +--- +apiVersion: batch/v1 +kind: CronJob +metadata: + name: goodcronjob12 +spec: + schedule: "*/1 * * * *" + jobTemplate: + spec: + template: + spec: + restartPolicy: OnFailure + initContainers: + - name: initcontainer01 + image: nginx + securityContext: + seLinuxOptions: + type: container_kvm_t + containers: + - name: container01 + image: nginx +--- +apiVersion: batch/v1 +kind: CronJob +metadata: + name: goodcronjob13 +spec: + schedule: "*/1 * * * *" + jobTemplate: + spec: + template: + spec: + restartPolicy: OnFailure + initContainers: + - name: initcontainer01 + image: nginx + - name: initcontainer02 + image: nginx + securityContext: + seLinuxOptions: + type: container_t + containers: + - name: container01 + image: nginx +--- +apiVersion: batch/v1 +kind: CronJob +metadata: + name: goodcronjob14 +spec: + schedule: "*/1 * * * *" + jobTemplate: + spec: + template: + spec: + restartPolicy: OnFailure + initContainers: + - name: initcontainer01 + image: nginx + securityContext: + seLinuxOptions: + type: container_init_t + - name: initcontainer02 + image: nginx + securityContext: + seLinuxOptions: + type: container_t + containers: + - name: container01 + image: nginx +--- +############################# +## Rule: selinux-user-role ## +############################# +###### Pods - Good +apiVersion: v1 +kind: Pod +metadata: + name: selur-goodpod01 +spec: + containers: + - name: container01 + image: nginx +--- +apiVersion: v1 +kind: Pod +metadata: + name: selur-goodpod02 +spec: + containers: + - name: container01 + image: nginx + securityContext: + seLinuxOptions: + level: "s0:c123,c456" +--- +apiVersion: v1 +kind: Pod +metadata: + name: selur-goodpod03 +spec: + containers: + - name: container01 + image: nginx + securityContext: + seLinuxOptions: + level: "s0:c123,c456" +--- +apiVersion: v1 +kind: Pod +metadata: + name: selur-goodpod04 +spec: + containers: + - name: container01 + image: nginx + securityContext: + seLinuxOptions: + type: container_t + level: "s0:c123,c456" +--- +apiVersion: v1 +kind: Pod +metadata: + name: selur-goodpod05 +spec: + containers: + - name: container01 + image: nginx + - name: container02 + image: nginx + securityContext: + seLinuxOptions: + level: "s0:c123,c456" +--- +apiVersion: v1 +kind: Pod +metadata: + name: selur-goodpod06 +spec: + containers: + - name: container01 + image: nginx + securityContext: + seLinuxOptions: + type: container_t + - name: container02 + image: nginx + securityContext: + seLinuxOptions: + level: "s0:c123,c456" +--- +apiVersion: v1 +kind: Pod +metadata: + name: selur-goodpod07 +spec: + initContainers: + - name: initcontainer01 + image: nginx + containers: + - name: container01 + image: nginx +--- +apiVersion: v1 +kind: Pod +metadata: + name: selur-goodpod08 +spec: + initContainers: + - name: initcontainer01 + image: nginx + securityContext: + seLinuxOptions: + level: "s0:c123,c456" + containers: + - name: container01 + image: nginx +--- +apiVersion: v1 +kind: Pod +metadata: + name: selur-goodpod09 +spec: + initContainers: + - name: initcontainer01 + image: nginx + securityContext: + seLinuxOptions: + level: "s0:c123,c456" + type: container_t + containers: + - name: container01 + image: nginx +--- +apiVersion: v1 +kind: Pod +metadata: + name: selur-goodpod10 +spec: + initContainers: + - name: initcontainer01 + image: nginx + - name: initcontainer02 + image: nginx + securityContext: + seLinuxOptions: + level: "s0:c123,c456" + containers: + - name: container01 + image: nginx +--- +apiVersion: v1 +kind: Pod +metadata: + name: selur-goodpod11 +spec: + initContainers: + - name: initcontainer01 + image: nginx + securityContext: + seLinuxOptions: + type: container_t + - name: initcontainer02 + image: nginx + securityContext: + seLinuxOptions: + level: "s0:c123,c456" + containers: + - name: container01 + image: nginx +--- +###### Deployments - Good +apiVersion: apps/v1 +kind: Deployment +metadata: + name: selur-gooddeployment01 +spec: + replicas: 1 + selector: + matchLabels: + app: app + template: + metadata: + labels: + app: app + spec: + containers: + - name: container01 + image: nginx +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: selur-gooddeployment02 +spec: + replicas: 1 + selector: + matchLabels: + app: app + template: + metadata: + labels: + app: app + spec: + containers: + - name: container01 + image: nginx + securityContext: + seLinuxOptions: + level: "s0:c123,c456" +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: selur-gooddeployment03 +spec: + replicas: 1 + selector: + matchLabels: + app: app + template: + metadata: + labels: + app: app + spec: + containers: + - name: container01 + image: nginx + securityContext: + seLinuxOptions: + level: "s0:c123,c456" +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: selur-gooddeployment04 +spec: + replicas: 1 + selector: + matchLabels: + app: app + template: + metadata: + labels: + app: app + spec: + containers: + - name: container01 + image: nginx + securityContext: + seLinuxOptions: + type: container_t + level: "s0:c123,c456" +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: selur-gooddeployment05 +spec: + replicas: 1 + selector: + matchLabels: + app: app + template: + metadata: + labels: + app: app + spec: + containers: + - name: container01 + image: nginx + - name: container02 + image: nginx + securityContext: + seLinuxOptions: + level: "s0:c123,c456" +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: selur-gooddeployment06 +spec: + replicas: 1 + selector: + matchLabels: + app: app + template: + metadata: + labels: + app: app + spec: + containers: + - name: container01 + image: nginx + securityContext: + seLinuxOptions: + type: container_t + - name: container02 + image: nginx + securityContext: + seLinuxOptions: + level: "s0:c123,c456" +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: selur-gooddeployment07 +spec: + replicas: 1 + selector: + matchLabels: + app: app + template: + metadata: + labels: + app: app + spec: + initContainers: + - name: initcontainer01 + image: nginx + containers: + - name: container01 + image: nginx +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: selur-gooddeployment08 +spec: + replicas: 1 + selector: + matchLabels: + app: app + template: + metadata: + labels: + app: app + spec: + initContainers: + - name: initcontainer01 + image: nginx + securityContext: + seLinuxOptions: + level: "s0:c123,c456" + containers: + - name: container01 + image: nginx +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: selur-gooddeployment09 +spec: + replicas: 1 + selector: + matchLabels: + app: app + template: + metadata: + labels: + app: app + spec: + initContainers: + - name: initcontainer01 + image: nginx + securityContext: + seLinuxOptions: + level: "s0:c123,c456" + type: container_t + containers: + - name: container01 + image: nginx +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: selur-gooddeployment10 +spec: + replicas: 1 + selector: + matchLabels: + app: app + template: + metadata: + labels: + app: app + spec: + initContainers: + - name: initcontainer01 + image: nginx + - name: initcontainer02 + image: nginx + securityContext: + seLinuxOptions: + level: "s0:c123,c456" + containers: + - name: container01 + image: nginx +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: selur-gooddeployment11 +spec: + replicas: 1 + selector: + matchLabels: + app: app + template: + metadata: + labels: + app: app + spec: + initContainers: + - name: initcontainer01 + image: nginx + securityContext: + seLinuxOptions: + type: container_t + - name: initcontainer02 + image: nginx + securityContext: + seLinuxOptions: + level: "s0:c123,c456" + containers: + - name: container01 + image: nginx +--- +###### CronJobs - Good +apiVersion: batch/v1 +kind: CronJob +metadata: + name: selur-goodcronjob01 +spec: + schedule: "*/1 * * * *" + jobTemplate: + spec: + template: + spec: + restartPolicy: OnFailure + containers: + - name: container01 + image: nginx +--- +apiVersion: batch/v1 +kind: CronJob +metadata: + name: selur-goodcronjob02 +spec: + schedule: "*/1 * * * *" + jobTemplate: + spec: + template: + spec: + restartPolicy: OnFailure + containers: + - name: container01 + image: nginx + securityContext: + seLinuxOptions: + level: "s0:c123,c456" +--- +apiVersion: batch/v1 +kind: CronJob +metadata: + name: selur-goodcronjob03 +spec: + schedule: "*/1 * * * *" + jobTemplate: + spec: + template: + spec: + restartPolicy: OnFailure + containers: + - name: container01 + image: nginx + securityContext: + seLinuxOptions: + level: "s0:c123,c456" +--- +apiVersion: batch/v1 +kind: CronJob +metadata: + name: selur-goodcronjob04 +spec: + schedule: "*/1 * * * *" + jobTemplate: + spec: + template: + spec: + restartPolicy: OnFailure + containers: + - name: container01 + image: nginx + securityContext: + seLinuxOptions: + type: container_t + level: "s0:c123,c456" +--- +apiVersion: batch/v1 +kind: CronJob +metadata: + name: selur-goodcronjob05 +spec: + schedule: "*/1 * * * *" + jobTemplate: + spec: + template: + spec: + restartPolicy: OnFailure + containers: + - name: container01 + image: nginx + - name: container02 + image: nginx + securityContext: + seLinuxOptions: + level: "s0:c123,c456" +--- +apiVersion: batch/v1 +kind: CronJob +metadata: + name: selur-goodcronjob06 +spec: + schedule: "*/1 * * * *" + jobTemplate: + spec: + template: + spec: + restartPolicy: OnFailure + containers: + - name: container01 + image: nginx + securityContext: + seLinuxOptions: + type: container_t + - name: container02 + image: nginx + securityContext: + seLinuxOptions: + level: "s0:c123,c456" +--- +apiVersion: batch/v1 +kind: CronJob +metadata: + name: selur-goodcronjob07 +spec: + schedule: "*/1 * * * *" + jobTemplate: + spec: + template: + spec: + restartPolicy: OnFailure + initContainers: + - name: initcontainer01 + image: nginx + containers: + - name: container01 + image: nginx +--- +apiVersion: batch/v1 +kind: CronJob +metadata: + name: selur-goodcronjob08 +spec: + schedule: "*/1 * * * *" + jobTemplate: + spec: + template: + spec: + restartPolicy: OnFailure + initContainers: + - name: initcontainer01 + image: nginx + securityContext: + seLinuxOptions: + level: "s0:c123,c456" + containers: + - name: container01 + image: nginx +--- +apiVersion: batch/v1 +kind: CronJob +metadata: + name: selur-goodcronjob09 +spec: + schedule: "*/1 * * * *" + jobTemplate: + spec: + template: + spec: + restartPolicy: OnFailure + initContainers: + - name: initcontainer01 + image: nginx + securityContext: + seLinuxOptions: + level: "s0:c123,c456" + type: container_t + containers: + - name: container01 + image: nginx +--- +apiVersion: batch/v1 +kind: CronJob +metadata: + name: selur-goodcronjob10 +spec: + schedule: "*/1 * * * *" + jobTemplate: + spec: + template: + spec: + restartPolicy: OnFailure + initContainers: + - name: initcontainer01 + image: nginx + - name: initcontainer02 + image: nginx + securityContext: + seLinuxOptions: + level: "s0:c123,c456" + containers: + - name: container01 + image: nginx +--- +apiVersion: batch/v1 +kind: CronJob +metadata: + name: selur-goodcronjob11 +spec: + schedule: "*/1 * * * *" + jobTemplate: + spec: + template: + spec: + restartPolicy: OnFailure + initContainers: + - name: initcontainer01 + image: nginx + securityContext: + seLinuxOptions: + type: container_t + - name: initcontainer02 + image: nginx + securityContext: + seLinuxOptions: + level: "s0:c123,c456" + containers: + - name: container01 + image: nginx diff --git a/best-practices/require_drop_cap_net_raw/e2e/policy-assert.yaml b/pod-security/baseline/disallow-selinux/e2e/policy-assert.yaml similarity index 87% rename from best-practices/require_drop_cap_net_raw/e2e/policy-assert.yaml rename to pod-security/baseline/disallow-selinux/e2e/policy-assert.yaml index 69052c9e..0039b8b0 100644 --- a/best-practices/require_drop_cap_net_raw/e2e/policy-assert.yaml +++ b/pod-security/baseline/disallow-selinux/e2e/policy-assert.yaml @@ -1,7 +1,7 @@ apiVersion: kyverno.io/v1 kind: ClusterPolicy metadata: - name: drop-cap-net-raw + name: disallow-selinux spec: validationFailureAction: Audit status: diff --git a/pod-security/baseline/restrict-apparmor-profiles/e2e/bad-resource.yaml b/pod-security/baseline/restrict-apparmor-profiles/e2e/bad-resource.yaml new file mode 100644 index 00000000..80f0495d --- /dev/null +++ b/pod-security/baseline/restrict-apparmor-profiles/e2e/bad-resource.yaml @@ -0,0 +1,52 @@ +###### Pods - Bad +--- +apiVersion: v1 +kind: Pod +metadata: + name: badpod01 + annotations: + container.apparmor.security.beta.kubernetes.io/container01: unconfined +spec: + containers: + - name: container01 + image: nginx +--- +###### Deployments - Bad +apiVersion: apps/v1 +kind: Deployment +metadata: + name: baddeployment01 +spec: + replicas: 1 + selector: + matchLabels: + app: app + template: + metadata: + labels: + app: app + annotations: + container.apparmor.security.beta.kubernetes.io/container01: unconfined + spec: + containers: + - name: container01 + image: nginx +--- +###### CronJobs - Bad +apiVersion: batch/v1 +kind: CronJob +metadata: + name: badcronjob01 +spec: + schedule: "*/1 * * * *" + jobTemplate: + spec: + template: + metadata: + annotations: + container.apparmor.security.beta.kubernetes.io/container01: unconfined + spec: + restartPolicy: OnFailure + containers: + - name: container01 + image: nginx diff --git a/pod-security/baseline/restrict-apparmor-profiles/e2e/chainsaw-test.yaml b/pod-security/baseline/restrict-apparmor-profiles/e2e/chainsaw-test.yaml new file mode 100644 index 00000000..9c6f8fa6 --- /dev/null +++ b/pod-security/baseline/restrict-apparmor-profiles/e2e/chainsaw-test.yaml @@ -0,0 +1,24 @@ +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: Test +metadata: + name: restrict-apparmor-profiles-policy +spec: + steps: + - name: test-restrict-apparmor-profiles + try: + - apply: + file: ../restrict-apparmor-profiles.yaml + - assert: + file: policy-assert.yaml + - script: + content: | + sed 's/validationFailureAction: Audit/validationFailureAction: Enforce/' ../restrict-apparmor-profiles.yaml | kubectl apply -f - + - assert: + file: enforce-policy-assert.yaml + - apply: + file: good-resource.yaml + - apply: + expect: + - check: + ($error != null): true + file: bad-resource.yaml diff --git a/pod-security/baseline/restrict-apparmor-profiles/e2e/enforce-policy-assert.yaml b/pod-security/baseline/restrict-apparmor-profiles/e2e/enforce-policy-assert.yaml new file mode 100644 index 00000000..8245cc83 --- /dev/null +++ b/pod-security/baseline/restrict-apparmor-profiles/e2e/enforce-policy-assert.yaml @@ -0,0 +1,11 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: restrict-apparmor-profiles +spec: + validationFailureAction: Enforce +status: + conditions: + - reason: Succeeded + status: "True" + type: Ready \ No newline at end of file diff --git a/pod-security/baseline/restrict-apparmor-profiles/e2e/good-resource.yaml b/pod-security/baseline/restrict-apparmor-profiles/e2e/good-resource.yaml new file mode 100644 index 00000000..d7e66670 --- /dev/null +++ b/pod-security/baseline/restrict-apparmor-profiles/e2e/good-resource.yaml @@ -0,0 +1,142 @@ +###### Pods - Good +apiVersion: v1 +kind: Pod +metadata: + name: goodpod01 +spec: + containers: + - name: container01 + image: nginx +--- +apiVersion: v1 +kind: Pod +metadata: + name: goodpod02 + annotations: + container.apparmor.security.beta.kubernetes.io/container01: runtime/default +spec: + containers: + - name: container01 + image: nginx +--- +apiVersion: v1 +kind: Pod +metadata: + name: goodpod03 + annotations: + container.apparmor.security.beta.kubernetes.io/container01: localhost/foo +spec: + containers: + - name: container01 + image: nginx +--- +###### Deployments - Good +apiVersion: apps/v1 +kind: Deployment +metadata: + name: gooddeployment01 +spec: + replicas: 1 + selector: + matchLabels: + app: app + template: + metadata: + labels: + app: app + spec: + containers: + - name: container01 + image: nginx +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: gooddeployment02 +spec: + replicas: 1 + selector: + matchLabels: + app: app + template: + metadata: + labels: + app: app + annotations: + container.apparmor.security.beta.kubernetes.io/container01: runtime/default + spec: + containers: + - name: container01 + image: nginx +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: gooddeployment03 +spec: + replicas: 1 + selector: + matchLabels: + app: app + template: + metadata: + labels: + app: app + annotations: + container.apparmor.security.beta.kubernetes.io/container01: localhost/foo + spec: + containers: + - name: container01 + image: nginx +--- +###### CronJobs - Good +apiVersion: batch/v1 +kind: CronJob +metadata: + name: goodcronjob01 +spec: + schedule: "*/1 * * * *" + jobTemplate: + spec: + template: + spec: + restartPolicy: OnFailure + containers: + - name: container01 + image: nginx +--- +apiVersion: batch/v1 +kind: CronJob +metadata: + name: goodcronjob02 +spec: + schedule: "*/1 * * * *" + jobTemplate: + spec: + template: + metadata: + annotations: + container.apparmor.security.beta.kubernetes.io/container01: runtime/default + spec: + restartPolicy: OnFailure + containers: + - name: container01 + image: nginx +--- +apiVersion: batch/v1 +kind: CronJob +metadata: + name: goodcronjob03 +spec: + schedule: "*/1 * * * *" + jobTemplate: + spec: + template: + metadata: + annotations: + container.apparmor.security.beta.kubernetes.io/container01: localhost/foo + spec: + restartPolicy: OnFailure + containers: + - name: container01 + image: nginx diff --git a/best-practices/disallow_default_namespace/e2e/policy-assert.yaml b/pod-security/baseline/restrict-apparmor-profiles/e2e/policy-assert.yaml similarity index 83% rename from best-practices/disallow_default_namespace/e2e/policy-assert.yaml rename to pod-security/baseline/restrict-apparmor-profiles/e2e/policy-assert.yaml index 14e8bb4b..81905aa3 100644 --- a/best-practices/disallow_default_namespace/e2e/policy-assert.yaml +++ b/pod-security/baseline/restrict-apparmor-profiles/e2e/policy-assert.yaml @@ -1,7 +1,7 @@ apiVersion: kyverno.io/v1 kind: ClusterPolicy metadata: - name: disallow-default-namespace + name: restrict-apparmor-profiles spec: validationFailureAction: Audit status: diff --git a/pod-security/baseline/restrict-seccomp/e2e/bad-resource.yaml b/pod-security/baseline/restrict-seccomp/e2e/bad-resource.yaml new file mode 100644 index 00000000..31a744d0 --- /dev/null +++ b/pod-security/baseline/restrict-seccomp/e2e/bad-resource.yaml @@ -0,0 +1,429 @@ +###### Pods - Bad +--- +apiVersion: v1 +kind: Pod +metadata: + name: badpod01 +spec: + containers: + - name: container01 + image: nginx + securityContext: + seccompProfile: + type: Unconfined +--- +apiVersion: v1 +kind: Pod +metadata: + name: badpod02 +spec: + containers: + - name: container01 + image: nginx + securityContext: + seccompProfile: + type: Unconfined +--- +apiVersion: v1 +kind: Pod +metadata: + name: badpod03 +spec: + containers: + - name: container01 + image: nginx + - name: container02 + image: nginx + securityContext: + seccompProfile: + type: Unconfined +--- +apiVersion: v1 +kind: Pod +metadata: + name: badpod04 +spec: + containers: + - name: container01 + image: nginx + securityContext: + seccompProfile: + type: RuntimeDefault + - name: container02 + image: nginx + securityContext: + seccompProfile: + type: Unconfined +--- +apiVersion: v1 +kind: Pod +metadata: + name: badpod05 +spec: + initContainers: + - name: initcontainer01 + image: nginx + securityContext: + seccompProfile: + type: Unconfined + containers: + - name: container01 + image: nginx +--- +apiVersion: v1 +kind: Pod +metadata: + name: badpod06 +spec: + initContainers: + - name: initcontainer01 + image: nginx + - name: initcontainer02 + image: nginx + securityContext: + seccompProfile: + type: Unconfined + containers: + - name: container01 + image: nginx +--- +apiVersion: v1 +kind: Pod +metadata: + name: badpod07 +spec: + initContainers: + - name: initcontainer01 + image: nginx + securityContext: + seccompProfile: + type: RuntimeDefault + - name: initcontainer02 + image: nginx + securityContext: + seccompProfile: + type: Unconfined + containers: + - name: container01 + image: nginx +--- +###### Deployments - Bad +apiVersion: apps/v1 +kind: Deployment +metadata: + name: baddeployment01 +spec: + replicas: 1 + selector: + matchLabels: + app: app + template: + metadata: + labels: + app: app + spec: + containers: + - name: container01 + image: nginx + securityContext: + seccompProfile: + type: Unconfined +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: baddeployment02 +spec: + replicas: 1 + selector: + matchLabels: + app: app + template: + metadata: + labels: + app: app + spec: + containers: + - name: container01 + image: nginx + securityContext: + seccompProfile: + type: Unconfined +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: baddeployment03 +spec: + replicas: 1 + selector: + matchLabels: + app: app + template: + metadata: + labels: + app: app + spec: + containers: + - name: container01 + image: nginx + - name: container02 + image: nginx + securityContext: + seccompProfile: + type: Unconfined +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: baddeployment04 +spec: + replicas: 1 + selector: + matchLabels: + app: app + template: + metadata: + labels: + app: app + spec: + containers: + - name: container01 + image: nginx + securityContext: + seccompProfile: + type: RuntimeDefault + - name: container02 + image: nginx + securityContext: + seccompProfile: + type: Unconfined +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: baddeployment05 +spec: + replicas: 1 + selector: + matchLabels: + app: app + template: + metadata: + labels: + app: app + spec: + initContainers: + - name: initcontainer01 + image: nginx + securityContext: + seccompProfile: + type: Unconfined + containers: + - name: container01 + image: nginx +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: baddeployment06 +spec: + replicas: 1 + selector: + matchLabels: + app: app + template: + metadata: + labels: + app: app + spec: + initContainers: + - name: initcontainer01 + image: nginx + - name: initcontainer02 + image: nginx + securityContext: + seccompProfile: + type: Unconfined + containers: + - name: container01 + image: nginx +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: baddeployment07 +spec: + replicas: 1 + selector: + matchLabels: + app: app + template: + metadata: + labels: + app: app + spec: + initContainers: + - name: initcontainer01 + image: nginx + securityContext: + seccompProfile: + type: RuntimeDefault + - name: initcontainer02 + image: nginx + securityContext: + seccompProfile: + type: Unconfined + containers: + - name: container01 + image: nginx +--- +###### CronJobs - Bad +apiVersion: batch/v1 +kind: CronJob +metadata: + name: badcronjob01 +spec: + schedule: "*/1 * * * *" + jobTemplate: + spec: + template: + spec: + restartPolicy: OnFailure + containers: + - name: container01 + image: nginx + securityContext: + seccompProfile: + type: Unconfined +--- +apiVersion: batch/v1 +kind: CronJob +metadata: + name: badcronjob02 +spec: + schedule: "*/1 * * * *" + jobTemplate: + spec: + template: + spec: + restartPolicy: OnFailure + containers: + - name: container01 + image: nginx + securityContext: + seccompProfile: + type: Unconfined +--- +apiVersion: batch/v1 +kind: CronJob +metadata: + name: badcronjob03 +spec: + schedule: "*/1 * * * *" + jobTemplate: + spec: + template: + spec: + restartPolicy: OnFailure + containers: + - name: container01 + image: nginx + - name: container02 + image: nginx + securityContext: + seccompProfile: + type: Unconfined +--- +apiVersion: batch/v1 +kind: CronJob +metadata: + name: badcronjob04 +spec: + schedule: "*/1 * * * *" + jobTemplate: + spec: + template: + spec: + restartPolicy: OnFailure + containers: + - name: container01 + image: nginx + securityContext: + seccompProfile: + type: RuntimeDefault + - name: container02 + image: nginx + securityContext: + seccompProfile: + type: Unconfined +--- +apiVersion: batch/v1 +kind: CronJob +metadata: + name: badcronjob05 +spec: + schedule: "*/1 * * * *" + jobTemplate: + spec: + template: + spec: + restartPolicy: OnFailure + initContainers: + - name: initcontainer01 + image: nginx + securityContext: + seccompProfile: + type: Unconfined + containers: + - name: container01 + image: nginx +--- +apiVersion: batch/v1 +kind: CronJob +metadata: + name: badcronjob06 +spec: + schedule: "*/1 * * * *" + jobTemplate: + spec: + template: + spec: + restartPolicy: OnFailure + initContainers: + - name: initcontainer01 + image: nginx + - name: initcontainer02 + image: nginx + securityContext: + seccompProfile: + type: Unconfined + containers: + - name: container01 + image: nginx +--- +apiVersion: batch/v1 +kind: CronJob +metadata: + name: badcronjob07 +spec: + schedule: "*/1 * * * *" + jobTemplate: + spec: + template: + spec: + restartPolicy: OnFailure + initContainers: + - name: initcontainer01 + image: nginx + securityContext: + seccompProfile: + type: RuntimeDefault + - name: initcontainer02 + image: nginx + securityContext: + seccompProfile: + type: Unconfined + containers: + - name: container01 + image: nginx diff --git a/pod-security/baseline/restrict-seccomp/e2e/chainsaw-test.yaml b/pod-security/baseline/restrict-seccomp/e2e/chainsaw-test.yaml new file mode 100644 index 00000000..7915be66 --- /dev/null +++ b/pod-security/baseline/restrict-seccomp/e2e/chainsaw-test.yaml @@ -0,0 +1,24 @@ +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: Test +metadata: + name: restrict-seccomp-policy +spec: + steps: + - name: test-restrict-seccomp + try: + - apply: + file: ../restrict-seccomp.yaml + - assert: + file: policy-assert.yaml + - script: + content: | + sed 's/validationFailureAction: Audit/validationFailureAction: Enforce/' ../restrict-seccomp.yaml | kubectl apply -f - + - assert: + file: enforce-policy-assert.yaml + - apply: + file: good-resource.yaml + - apply: + expect: + - check: + ($error != null): true + file: bad-resource.yaml diff --git a/best-practices/restrict_node_port/e2e/03-enforce-policy-assert.yaml b/pod-security/baseline/restrict-seccomp/e2e/enforce-policy-assert.yaml similarity index 79% rename from best-practices/restrict_node_port/e2e/03-enforce-policy-assert.yaml rename to pod-security/baseline/restrict-seccomp/e2e/enforce-policy-assert.yaml index 260bf2c8..c221e087 100644 --- a/best-practices/restrict_node_port/e2e/03-enforce-policy-assert.yaml +++ b/pod-security/baseline/restrict-seccomp/e2e/enforce-policy-assert.yaml @@ -1,11 +1,11 @@ apiVersion: kyverno.io/v1 kind: ClusterPolicy metadata: - name: restrict-nodeport + name: restrict-seccomp spec: validationFailureAction: Enforce status: conditions: - reason: Succeeded status: "True" - type: Ready + type: Ready \ No newline at end of file diff --git a/pod-security/baseline/restrict-seccomp/e2e/good-resource.yaml b/pod-security/baseline/restrict-seccomp/e2e/good-resource.yaml new file mode 100644 index 00000000..86eb81eb --- /dev/null +++ b/pod-security/baseline/restrict-seccomp/e2e/good-resource.yaml @@ -0,0 +1,647 @@ +###### Pods - Good +apiVersion: v1 +kind: Pod +metadata: + name: goodpod01 +spec: + containers: + - name: container01 + image: nginx +--- +apiVersion: v1 +kind: Pod +metadata: + name: goodpod02 +spec: + containers: + - name: container01 + image: nginx + securityContext: + seccompProfile: + type: RuntimeDefault +--- +apiVersion: v1 +kind: Pod +metadata: + name: goodpod03 +spec: + containers: + - name: container01 + image: nginx + securityContext: + seccompProfile: + type: Localhost + localhostProfile: operator/default/profile1.json +--- +apiVersion: v1 +kind: Pod +metadata: + name: goodpod04 +spec: + containers: + - name: container01 + image: nginx + securityContext: + seccompProfile: + type: RuntimeDefault +--- +apiVersion: v1 +kind: Pod +metadata: + name: goodpod05 +spec: + containers: + - name: container01 + image: nginx + securityContext: + seccompProfile: + type: Localhost + localhostProfile: operator/default/profile1.json +--- +apiVersion: v1 +kind: Pod +metadata: + name: goodpod06 +spec: + containers: + - name: container01 + image: nginx + - name: container02 + image: nginx + securityContext: + seccompProfile: + type: RuntimeDefault +--- +apiVersion: v1 +kind: Pod +metadata: + name: goodpod07 +spec: + containers: + - name: container01 + image: nginx + securityContext: + seccompProfile: + type: RuntimeDefault + - name: container02 + image: nginx + securityContext: + seccompProfile: + type: Localhost + localhostProfile: operator/default/profile1.json +--- +apiVersion: v1 +kind: Pod +metadata: + name: goodpod08 +spec: + initContainers: + - name: initcontainer01 + image: nginx + securityContext: + seccompProfile: + type: RuntimeDefault + containers: + - name: container01 + image: nginx +--- +apiVersion: v1 +kind: Pod +metadata: + name: goodpod09 +spec: + initContainers: + - name: initcontainer01 + image: nginx + securityContext: + seccompProfile: + type: Localhost + localhostProfile: operator/default/profile1.json + containers: + - name: container01 + image: nginx +--- +apiVersion: v1 +kind: Pod +metadata: + name: goodpod10 +spec: + initContainers: + - name: initcontainer01 + image: nginx + - name: initcontainer02 + image: nginx + securityContext: + seccompProfile: + type: RuntimeDefault + containers: + - name: container01 + image: nginx +--- +apiVersion: v1 +kind: Pod +metadata: + name: goodpod11 +spec: + initContainers: + - name: initcontainer01 + image: nginx + securityContext: + seccompProfile: + type: Localhost + localhostProfile: operator/default/profile1.json + - name: initcontainer02 + image: nginx + securityContext: + seccompProfile: + type: RuntimeDefault + containers: + - name: container01 + image: nginx +--- +###### Deployments - Good +apiVersion: apps/v1 +kind: Deployment +metadata: + name: gooddeployment01 +spec: + replicas: 1 + selector: + matchLabels: + app: app + template: + metadata: + labels: + app: app + spec: + containers: + - name: container01 + image: nginx +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: gooddeployment02 +spec: + replicas: 1 + selector: + matchLabels: + app: app + template: + metadata: + labels: + app: app + spec: + containers: + - name: container01 + image: nginx + securityContext: + seccompProfile: + type: RuntimeDefault +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: gooddeployment03 +spec: + replicas: 1 + selector: + matchLabels: + app: app + template: + metadata: + labels: + app: app + spec: + containers: + - name: container01 + image: nginx + securityContext: + seccompProfile: + type: Localhost + localhostProfile: operator/default/profile1.json +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: gooddeployment04 +spec: + replicas: 1 + selector: + matchLabels: + app: app + template: + metadata: + labels: + app: app + spec: + containers: + - name: container01 + image: nginx + securityContext: + seccompProfile: + type: RuntimeDefault +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: gooddeployment05 +spec: + replicas: 1 + selector: + matchLabels: + app: app + template: + metadata: + labels: + app: app + spec: + containers: + - name: container01 + image: nginx + securityContext: + seccompProfile: + type: Localhost + localhostProfile: operator/default/profile1.json +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: gooddeployment06 +spec: + replicas: 1 + selector: + matchLabels: + app: app + template: + metadata: + labels: + app: app + spec: + containers: + - name: container01 + image: nginx + - name: container02 + image: nginx + securityContext: + seccompProfile: + type: RuntimeDefault +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: gooddeployment07 +spec: + replicas: 1 + selector: + matchLabels: + app: app + template: + metadata: + labels: + app: app + spec: + containers: + - name: container01 + image: nginx + securityContext: + seccompProfile: + type: Localhost + localhostProfile: operator/default/profile1.json + - name: container02 + image: nginx + securityContext: + seccompProfile: + type: RuntimeDefault +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: gooddeployment08 +spec: + replicas: 1 + selector: + matchLabels: + app: app + template: + metadata: + labels: + app: app + spec: + initContainers: + - name: initcontainer01 + image: nginx + securityContext: + seccompProfile: + type: RuntimeDefault + containers: + - name: container01 + image: nginx +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: gooddeployment09 +spec: + replicas: 1 + selector: + matchLabels: + app: app + template: + metadata: + labels: + app: app + spec: + initContainers: + - name: initcontainer01 + image: nginx + securityContext: + seccompProfile: + type: Localhost + localhostProfile: operator/default/profile1.json + containers: + - name: container01 + image: nginx +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: gooddeployment10 +spec: + replicas: 1 + selector: + matchLabels: + app: app + template: + metadata: + labels: + app: app + spec: + initContainers: + - name: initcontainer01 + image: nginx + - name: initcontainer02 + image: nginx + securityContext: + seccompProfile: + type: RuntimeDefault + containers: + - name: container01 + image: nginx +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: gooddeployment11 +spec: + replicas: 1 + selector: + matchLabels: + app: app + template: + metadata: + labels: + app: app + spec: + initContainers: + - name: initcontainer01 + image: nginx + securityContext: + seccompProfile: + type: Localhost + localhostProfile: operator/default/profile1.json + - name: initcontainer02 + image: nginx + securityContext: + seccompProfile: + type: RuntimeDefault + containers: + - name: container01 + image: nginx +--- +###### CronJobs - Good +apiVersion: batch/v1 +kind: CronJob +metadata: + name: goodcronjob01 +spec: + schedule: "*/1 * * * *" + jobTemplate: + spec: + template: + spec: + restartPolicy: OnFailure + containers: + - name: container01 + image: nginx +--- +apiVersion: batch/v1 +kind: CronJob +metadata: + name: goodcronjob02 +spec: + schedule: "*/1 * * * *" + jobTemplate: + spec: + template: + spec: + restartPolicy: OnFailure + containers: + - name: container01 + image: nginx + securityContext: + seccompProfile: + type: RuntimeDefault +--- +apiVersion: batch/v1 +kind: CronJob +metadata: + name: goodcronjob03 +spec: + schedule: "*/1 * * * *" + jobTemplate: + spec: + template: + spec: + restartPolicy: OnFailure + containers: + - name: container01 + image: nginx + securityContext: + seccompProfile: + type: Localhost + localhostProfile: operator/default/profile1.json +--- +apiVersion: batch/v1 +kind: CronJob +metadata: + name: goodcronjob04 +spec: + schedule: "*/1 * * * *" + jobTemplate: + spec: + template: + spec: + restartPolicy: OnFailure + containers: + - name: container01 + image: nginx + securityContext: + seccompProfile: + type: RuntimeDefault +--- +apiVersion: batch/v1 +kind: CronJob +metadata: + name: goodcronjob05 +spec: + schedule: "*/1 * * * *" + jobTemplate: + spec: + template: + spec: + restartPolicy: OnFailure + containers: + - name: container01 + image: nginx + securityContext: + seccompProfile: + type: Localhost + localhostProfile: operator/default/profile1.json +--- +apiVersion: batch/v1 +kind: CronJob +metadata: + name: goodcronjob06 +spec: + schedule: "*/1 * * * *" + jobTemplate: + spec: + template: + spec: + restartPolicy: OnFailure + containers: + - name: container01 + image: nginx + - name: container02 + image: nginx + securityContext: + seccompProfile: + type: RuntimeDefault +--- +apiVersion: batch/v1 +kind: CronJob +metadata: + name: goodcronjob07 +spec: + schedule: "*/1 * * * *" + jobTemplate: + spec: + template: + spec: + restartPolicy: OnFailure + containers: + - name: container01 + image: nginx + securityContext: + seccompProfile: + type: Localhost + localhostProfile: operator/default/profile1.json + - name: container02 + image: nginx + securityContext: + seccompProfile: + type: RuntimeDefault +--- +apiVersion: batch/v1 +kind: CronJob +metadata: + name: goodcronjob08 +spec: + schedule: "*/1 * * * *" + jobTemplate: + spec: + template: + spec: + restartPolicy: OnFailure + initContainers: + - name: initcontainer01 + image: nginx + securityContext: + seccompProfile: + type: RuntimeDefault + containers: + - name: container01 + image: nginx +--- +apiVersion: batch/v1 +kind: CronJob +metadata: + name: goodcronjob09 +spec: + schedule: "*/1 * * * *" + jobTemplate: + spec: + template: + spec: + restartPolicy: OnFailure + initContainers: + - name: initcontainer01 + image: nginx + securityContext: + seccompProfile: + type: Localhost + localhostProfile: operator/default/profile1.json + containers: + - name: container01 + image: nginx +--- +apiVersion: batch/v1 +kind: CronJob +metadata: + name: goodcronjob10 +spec: + schedule: "*/1 * * * *" + jobTemplate: + spec: + template: + spec: + restartPolicy: OnFailure + initContainers: + - name: initcontainer01 + image: nginx + - name: initcontainer02 + image: nginx + securityContext: + seccompProfile: + type: RuntimeDefault + containers: + - name: container01 + image: nginx +--- +apiVersion: batch/v1 +kind: CronJob +metadata: + name: goodcronjob11 +spec: + schedule: "*/1 * * * *" + jobTemplate: + spec: + template: + spec: + restartPolicy: OnFailure + initContainers: + - name: initcontainer01 + image: nginx + securityContext: + seccompProfile: + type: Localhost + localhostProfile: operator/default/profile1.json + - name: initcontainer02 + image: nginx + securityContext: + seccompProfile: + type: RuntimeDefault + containers: + - name: container01 + image: nginx diff --git a/best-practices/require_labels/e2e/policy-assert.yaml b/pod-security/baseline/restrict-seccomp/e2e/policy-assert.yaml similarity index 87% rename from best-practices/require_labels/e2e/policy-assert.yaml rename to pod-security/baseline/restrict-seccomp/e2e/policy-assert.yaml index 9c48b242..f590f123 100644 --- a/best-practices/require_labels/e2e/policy-assert.yaml +++ b/pod-security/baseline/restrict-seccomp/e2e/policy-assert.yaml @@ -1,7 +1,7 @@ apiVersion: kyverno.io/v1 kind: ClusterPolicy metadata: - name: require-labels + name: restrict-seccomp spec: validationFailureAction: Audit status: diff --git a/pod-security/baseline/restrict-sysctls/e2e/bad-resource.yaml b/pod-security/baseline/restrict-sysctls/e2e/bad-resource.yaml new file mode 100644 index 00000000..6cd77d12 --- /dev/null +++ b/pod-security/baseline/restrict-sysctls/e2e/bad-resource.yaml @@ -0,0 +1,117 @@ +###### Pods - Bad +--- +apiVersion: v1 +kind: Pod +metadata: + name: badpod01 +spec: + containers: + - name: container01 + image: nginx + securityContext: + sysctls: + - name: kernel.shm_next_id + value: "4" +--- +apiVersion: v1 +kind: Pod +metadata: + name: badpod02 +spec: + containers: + - name: container01 + image: nginx + securityContext: + sysctls: + - name: kernel.shm_rmid_forced + value: "2" + - name: kernel.shm_next_id + value: "4" +--- +###### Deployments - Bad +apiVersion: apps/v1 +kind: Deployment +metadata: + name: baddeployment01 +spec: + replicas: 1 + selector: + matchLabels: + app: app + template: + metadata: + labels: + app: app + spec: + containers: + - name: container01 + image: nginx + securityContext: + sysctls: + - name: kernel.shm_next_id + value: "4" +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: baddeployment02 +spec: + replicas: 1 + selector: + matchLabels: + app: app + template: + metadata: + labels: + app: app + spec: + containers: + - name: container01 + image: nginx + securityContext: + sysctls: + - name: kernel.shm_rmid_forced + value: "2" + - name: kernel.shm_next_id + value: "4" +--- +###### CronJobs - Bad +apiVersion: batch/v1 +kind: CronJob +metadata: + name: badcronjob01 +spec: + schedule: "*/1 * * * *" + jobTemplate: + spec: + template: + spec: + restartPolicy: OnFailure + containers: + - name: container01 + image: nginx + securityContext: + sysctls: + - name: kernel.shm_next_id + value: "4" +--- +apiVersion: batch/v1 +kind: CronJob +metadata: + name: badcronjob02 +spec: + schedule: "*/1 * * * *" + jobTemplate: + spec: + template: + spec: + restartPolicy: OnFailure + containers: + - name: container01 + image: nginx + securityContext: + sysctls: + - name: kernel.shm_rmid_forced + value: "2" + - name: kernel.shm_next_id + value: "4" diff --git a/pod-security/baseline/restrict-sysctls/e2e/chainsaw-test.yaml b/pod-security/baseline/restrict-sysctls/e2e/chainsaw-test.yaml new file mode 100644 index 00000000..be596c1c --- /dev/null +++ b/pod-security/baseline/restrict-sysctls/e2e/chainsaw-test.yaml @@ -0,0 +1,24 @@ +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: Test +metadata: + name: restrict-sysctls-policy +spec: + steps: + - name: test-restrict-sysctls + try: + - apply: + file: ../restrict-sysctls.yaml + - assert: + file: policy-assert.yaml + - script: + content: | + sed 's/validationFailureAction: Audit/validationFailureAction: Enforce/' ../restrict-sysctls.yaml | kubectl apply -f - + - assert: + file: enforce-policy-assert.yaml + - apply: + file: good-resource.yaml + - apply: + expect: + - check: + ($error != null): true + file: bad-resource.yaml diff --git a/pod-security/baseline/restrict-sysctls/e2e/enforce-policy-assert.yaml b/pod-security/baseline/restrict-sysctls/e2e/enforce-policy-assert.yaml new file mode 100644 index 00000000..11726653 --- /dev/null +++ b/pod-security/baseline/restrict-sysctls/e2e/enforce-policy-assert.yaml @@ -0,0 +1,11 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: restrict-sysctls +spec: + validationFailureAction: Enforce +status: + conditions: + - reason: Succeeded + status: "True" + type: Ready \ No newline at end of file diff --git a/pod-security/baseline/restrict-sysctls/e2e/good-resource.yaml b/pod-security/baseline/restrict-sysctls/e2e/good-resource.yaml new file mode 100644 index 00000000..42e1e586 --- /dev/null +++ b/pod-security/baseline/restrict-sysctls/e2e/good-resource.yaml @@ -0,0 +1,375 @@ +###### Pods - Good +--- +apiVersion: v1 +kind: Pod +metadata: + name: goodpod01 +spec: + containers: + - name: container01 + image: nginx +--- +apiVersion: v1 +kind: Pod +metadata: + name: goodpod02 +spec: + containers: + - name: container01 + image: nginx + securityContext: + sysctls: + - name: kernel.shm_rmid_forced + value: "2" +--- +apiVersion: v1 +kind: Pod +metadata: + name: goodpod03 +spec: + containers: + - name: container01 + image: nginx + securityContext: + sysctls: + - name: net.ipv4.ip_local_port_range + value: "31000 60999" +--- +apiVersion: v1 +kind: Pod +metadata: + name: goodpod04 +spec: + containers: + - name: container01 + image: nginx + securityContext: + sysctls: + - name: net.ipv4.ip_unprivileged_port_start + value: "2048" +--- +apiVersion: v1 +kind: Pod +metadata: + name: goodpod05 +spec: + containers: + - name: container01 + image: nginx + securityContext: + sysctls: + - name: net.ipv4.tcp_syncookies + value: "0" +--- +apiVersion: v1 +kind: Pod +metadata: + name: goodpod06 +spec: + containers: + - name: container01 + image: nginx + securityContext: + sysctls: + - name: net.ipv4.ping_group_range + value: "1 0" +--- +apiVersion: v1 +kind: Pod +metadata: + name: goodpod07 +spec: + containers: + - name: container01 + image: nginx + securityContext: + sysctls: + - name: net.ipv4.ip_unprivileged_port_start + value: "2048" + - name: net.ipv4.ping_group_range + value: "1 0" +--- +###### Deployments - Good +apiVersion: apps/v1 +kind: Deployment +metadata: + name: gooddeployment01 +spec: + replicas: 1 + selector: + matchLabels: + app: app + template: + metadata: + labels: + app: app + spec: + containers: + - name: container01 + image: nginx +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: gooddeployment02 +spec: + replicas: 1 + selector: + matchLabels: + app: app + template: + metadata: + labels: + app: app + spec: + containers: + - name: container01 + image: nginx + securityContext: + sysctls: + - name: kernel.shm_rmid_forced + value: "2" +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: gooddeployment03 +spec: + replicas: 1 + selector: + matchLabels: + app: app + template: + metadata: + labels: + app: app + spec: + containers: + - name: container01 + image: nginx + securityContext: + sysctls: + - name: net.ipv4.ip_local_port_range + value: "31000 60999" +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: gooddeployment04 +spec: + replicas: 1 + selector: + matchLabels: + app: app + template: + metadata: + labels: + app: app + spec: + containers: + - name: container01 + image: nginx + securityContext: + sysctls: + - name: net.ipv4.ip_unprivileged_port_start + value: "2048" +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: gooddeployment05 +spec: + replicas: 1 + selector: + matchLabels: + app: app + template: + metadata: + labels: + app: app + spec: + containers: + - name: container01 + image: nginx + securityContext: + sysctls: + - name: net.ipv4.tcp_syncookies + value: "0" +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: gooddeployment06 +spec: + replicas: 1 + selector: + matchLabels: + app: app + template: + metadata: + labels: + app: app + spec: + containers: + - name: container01 + image: nginx + securityContext: + sysctls: + - name: net.ipv4.ping_group_range + value: "1 0" +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: gooddeployment07 +spec: + replicas: 1 + selector: + matchLabels: + app: app + template: + metadata: + labels: + app: app + spec: + containers: + - name: container01 + image: nginx + securityContext: + sysctls: + - name: net.ipv4.ip_unprivileged_port_start + value: "2048" + - name: net.ipv4.ping_group_range + value: "1 0" +--- +###### CronJobs - Good +apiVersion: batch/v1 +kind: CronJob +metadata: + name: goodcronjob01 +spec: + schedule: "*/1 * * * *" + jobTemplate: + spec: + template: + spec: + restartPolicy: OnFailure + containers: + - name: container01 + image: nginx +--- +apiVersion: batch/v1 +kind: CronJob +metadata: + name: goodcronjob02 +spec: + schedule: "*/1 * * * *" + jobTemplate: + spec: + template: + spec: + restartPolicy: OnFailure + containers: + - name: container01 + image: nginx + securityContext: + sysctls: + - name: kernel.shm_rmid_forced + value: "2" +--- +apiVersion: batch/v1 +kind: CronJob +metadata: + name: goodcronjob03 +spec: + schedule: "*/1 * * * *" + jobTemplate: + spec: + template: + spec: + restartPolicy: OnFailure + containers: + - name: container01 + image: nginx + securityContext: + sysctls: + - name: net.ipv4.ip_local_port_range + value: "31000 60999" +--- +apiVersion: batch/v1 +kind: CronJob +metadata: + name: goodcronjob04 +spec: + schedule: "*/1 * * * *" + jobTemplate: + spec: + template: + spec: + restartPolicy: OnFailure + containers: + - name: container01 + image: nginx + securityContext: + sysctls: + - name: net.ipv4.ip_unprivileged_port_start + value: "2048" +--- +apiVersion: batch/v1 +kind: CronJob +metadata: + name: goodcronjob05 +spec: + schedule: "*/1 * * * *" + jobTemplate: + spec: + template: + spec: + restartPolicy: OnFailure + containers: + - name: container01 + image: nginx + securityContext: + sysctls: + - name: net.ipv4.tcp_syncookies + value: "0" +--- +apiVersion: batch/v1 +kind: CronJob +metadata: + name: goodcronjob06 +spec: + schedule: "*/1 * * * *" + jobTemplate: + spec: + template: + spec: + restartPolicy: OnFailure + containers: + - name: container01 + image: nginx + securityContext: + sysctls: + - name: net.ipv4.ping_group_range + value: "1 0" +--- +apiVersion: batch/v1 +kind: CronJob +metadata: + name: goodcronjob07 +spec: + schedule: "*/1 * * * *" + jobTemplate: + spec: + template: + spec: + restartPolicy: OnFailure + containers: + - name: container01 + image: nginx + securityContext: + sysctls: + - name: net.ipv4.ip_unprivileged_port_start + value: "2048" + - name: net.ipv4.ping_group_range + value: "1 0" diff --git a/best-practices/restrict_node_port/e2e/policy-assert.yaml b/pod-security/baseline/restrict-sysctls/e2e/policy-assert.yaml similarity index 87% rename from best-practices/restrict_node_port/e2e/policy-assert.yaml rename to pod-security/baseline/restrict-sysctls/e2e/policy-assert.yaml index 7ae2a8a0..e638ddf4 100644 --- a/best-practices/restrict_node_port/e2e/policy-assert.yaml +++ b/pod-security/baseline/restrict-sysctls/e2e/policy-assert.yaml @@ -1,7 +1,7 @@ apiVersion: kyverno.io/v1 kind: ClusterPolicy metadata: - name: restrict-nodeport + name: restrict-sysctls spec: validationFailureAction: Audit status: diff --git a/pod-security/restricted/disallow-capabilities-strict/deployment.yaml b/pod-security/restricted/disallow-capabilities-strict/deployment.yaml index 427085ff..e034103c 100644 --- a/pod-security/restricted/disallow-capabilities-strict/deployment.yaml +++ b/pod-security/restricted/disallow-capabilities-strict/deployment.yaml @@ -40,7 +40,7 @@ spec: cpu: "500m" hostIPC: true initContainers: - - name: nginx2 + - name: nginx3 image: nginx:latest securityContext: privileged: true diff --git a/pod-security/restricted/disallow-capabilities-strict/e2e/bad-resource.yaml b/pod-security/restricted/disallow-capabilities-strict/e2e/bad-resource.yaml new file mode 100644 index 00000000..d5a66f4f --- /dev/null +++ b/pod-security/restricted/disallow-capabilities-strict/e2e/bad-resource.yaml @@ -0,0 +1,1351 @@ +############################ +## Rule: require-drop-all ## +############################ +###### Pods - Bad +--- +apiVersion: v1 +kind: Pod +metadata: + name: badpod01 +spec: + containers: + - name: container01 + image: nginx +--- +apiVersion: v1 +kind: Pod +metadata: + name: badpod02 +spec: + containers: + - name: container01 + image: nginx + securityContext: + capabilities: + drop: + - NET_RAW +--- +apiVersion: v1 +kind: Pod +metadata: + name: badpod03 +spec: + containers: + - name: container01 + image: nginx + - name: container02 + image: nginx +--- +apiVersion: v1 +kind: Pod +metadata: + name: badpod04 +spec: + containers: + - name: container01 + image: nginx + - name: container02 + image: nginx + securityContext: + capabilities: + drop: + - NET_RAW +--- +apiVersion: v1 +kind: Pod +metadata: + name: badpod05 +spec: + containers: + - name: container01 + image: nginx + securityContext: + capabilities: + drop: + - NET_RAW + - name: container02 + image: nginx + securityContext: + capabilities: + drop: + - ALL +--- +apiVersion: v1 +kind: Pod +metadata: + name: badpod06 +spec: + initContainers: + - name: initcontainer01 + image: nginx + containers: + - name: container01 + image: nginx + securityContext: + capabilities: + drop: + - ALL +--- +apiVersion: v1 +kind: Pod +metadata: + name: badpod07 +spec: + initContainers: + - name: initcontainer01 + image: nginx + securityContext: + capabilities: + drop: + - NET_RAW + containers: + - name: container01 + image: nginx + securityContext: + capabilities: + drop: + - ALL +--- +apiVersion: v1 +kind: Pod +metadata: + name: badpod08 +spec: + initContainers: + - name: initcontainer01 + image: nginx + - name: initcontainer02 + image: nginx + containers: + - name: container01 + image: nginx + securityContext: + capabilities: + drop: + - ALL +--- +apiVersion: v1 +kind: Pod +metadata: + name: badpod09 +spec: + initContainers: + - name: initcontainer01 + image: nginx + - name: initcontainer02 + image: nginx + securityContext: + capabilities: + drop: + - NET_RAW + containers: + - name: container01 + image: nginx + securityContext: + capabilities: + drop: + - ALL +--- +apiVersion: v1 +kind: Pod +metadata: + name: badpod10 +spec: + initContainers: + - name: initcontainer01 + image: nginx + securityContext: + capabilities: + drop: + - NET_RAW + - name: initcontainer02 + image: nginx + securityContext: + capabilities: + drop: + - ALL + containers: + - name: container01 + image: nginx + securityContext: + capabilities: + drop: + - ALL +--- +###### Deployments - Bad +apiVersion: apps/v1 +kind: Deployment +metadata: + name: baddeployment01 +spec: + replicas: 1 + selector: + matchLabels: + app: app + template: + metadata: + labels: + app: app + spec: + containers: + - name: container01 + image: nginx +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: baddeployment02 +spec: + replicas: 1 + selector: + matchLabels: + app: app + template: + metadata: + labels: + app: app + spec: + containers: + - name: container01 + image: nginx + securityContext: + capabilities: + drop: + - NET_RAW +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: baddeployment03 +spec: + replicas: 1 + selector: + matchLabels: + app: app + template: + metadata: + labels: + app: app + spec: + containers: + - name: container01 + image: nginx + - name: container02 + image: nginx +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: baddeployment04 +spec: + replicas: 1 + selector: + matchLabels: + app: app + template: + metadata: + labels: + app: app + spec: + containers: + - name: container01 + image: nginx + - name: container02 + image: nginx + securityContext: + capabilities: + drop: + - NET_RAW +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: baddeployment05 +spec: + replicas: 1 + selector: + matchLabels: + app: app + template: + metadata: + labels: + app: app + spec: + containers: + - name: container01 + image: nginx + securityContext: + capabilities: + drop: + - NET_RAW + - name: container02 + image: nginx + securityContext: + capabilities: + drop: + - ALL +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: baddeployment06 +spec: + replicas: 1 + selector: + matchLabels: + app: app + template: + metadata: + labels: + app: app + spec: + initContainers: + - name: initcontainer01 + image: nginx + containers: + - name: container01 + image: nginx + securityContext: + capabilities: + drop: + - ALL +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: baddeployment07 +spec: + replicas: 1 + selector: + matchLabels: + app: app + template: + metadata: + labels: + app: app + spec: + initContainers: + - name: initcontainer01 + image: nginx + securityContext: + capabilities: + drop: + - NET_RAW + containers: + - name: container01 + image: nginx + securityContext: + capabilities: + drop: + - ALL +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: baddeployment08 +spec: + replicas: 1 + selector: + matchLabels: + app: app + template: + metadata: + labels: + app: app + spec: + initContainers: + - name: initcontainer01 + image: nginx + - name: initcontainer02 + image: nginx + containers: + - name: container01 + image: nginx + securityContext: + capabilities: + drop: + - ALL +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: baddeployment09 +spec: + replicas: 1 + selector: + matchLabels: + app: app + template: + metadata: + labels: + app: app + spec: + initContainers: + - name: initcontainer01 + image: nginx + - name: initcontainer02 + image: nginx + securityContext: + capabilities: + drop: + - NET_RAW + containers: + - name: container01 + image: nginx + securityContext: + capabilities: + drop: + - ALL +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: baddeployment10 +spec: + replicas: 1 + selector: + matchLabels: + app: app + template: + metadata: + labels: + app: app + spec: + initContainers: + - name: initcontainer01 + image: nginx + securityContext: + capabilities: + drop: + - NET_RAW + - name: initcontainer02 + image: nginx + securityContext: + capabilities: + drop: + - ALL + containers: + - name: container01 + image: nginx + securityContext: + capabilities: + drop: + - ALL +--- +###### CronJobs - Bad +apiVersion: batch/v1 +kind: CronJob +metadata: + name: badcronjob01 +spec: + schedule: "*/1 * * * *" + jobTemplate: + spec: + template: + spec: + restartPolicy: OnFailure + containers: + - name: container01 + image: nginx +--- +apiVersion: batch/v1 +kind: CronJob +metadata: + name: badcronjob02 +spec: + schedule: "*/1 * * * *" + jobTemplate: + spec: + template: + spec: + restartPolicy: OnFailure + containers: + - name: container01 + image: nginx + securityContext: + capabilities: + drop: + - NET_RAW +--- +apiVersion: batch/v1 +kind: CronJob +metadata: + name: badcronjob03 +spec: + schedule: "*/1 * * * *" + jobTemplate: + spec: + template: + spec: + restartPolicy: OnFailure + containers: + - name: container01 + image: nginx + - name: container02 + image: nginx +--- +apiVersion: batch/v1 +kind: CronJob +metadata: + name: badcronjob04 +spec: + schedule: "*/1 * * * *" + jobTemplate: + spec: + template: + spec: + restartPolicy: OnFailure + containers: + - name: container01 + image: nginx + - name: container02 + image: nginx + securityContext: + capabilities: + drop: + - NET_RAW +--- +apiVersion: batch/v1 +kind: CronJob +metadata: + name: badcronjob05 +spec: + schedule: "*/1 * * * *" + jobTemplate: + spec: + template: + spec: + restartPolicy: OnFailure + containers: + - name: container01 + image: nginx + securityContext: + capabilities: + drop: + - NET_RAW + - name: container02 + image: nginx + securityContext: + capabilities: + drop: + - ALL +--- +apiVersion: batch/v1 +kind: CronJob +metadata: + name: badcronjob06 +spec: + schedule: "*/1 * * * *" + jobTemplate: + spec: + template: + spec: + restartPolicy: OnFailure + initContainers: + - name: initcontainer01 + image: nginx + containers: + - name: container01 + image: nginx + securityContext: + capabilities: + drop: + - ALL +--- +apiVersion: batch/v1 +kind: CronJob +metadata: + name: badcronjob07 +spec: + schedule: "*/1 * * * *" + jobTemplate: + spec: + template: + spec: + restartPolicy: OnFailure + initContainers: + - name: initcontainer01 + image: nginx + securityContext: + capabilities: + drop: + - NET_RAW + containers: + - name: container01 + image: nginx + securityContext: + capabilities: + drop: + - ALL +--- +apiVersion: batch/v1 +kind: CronJob +metadata: + name: badcronjob08 +spec: + schedule: "*/1 * * * *" + jobTemplate: + spec: + template: + spec: + restartPolicy: OnFailure + initContainers: + - name: initcontainer01 + image: nginx + - name: initcontainer02 + image: nginx + containers: + - name: container01 + image: nginx + securityContext: + capabilities: + drop: + - ALL +--- +apiVersion: batch/v1 +kind: CronJob +metadata: + name: badcronjob09 +spec: + schedule: "*/1 * * * *" + jobTemplate: + spec: + template: + spec: + restartPolicy: OnFailure + initContainers: + - name: initcontainer01 + image: nginx + - name: initcontainer02 + image: nginx + securityContext: + capabilities: + drop: + - NET_RAW + containers: + - name: container01 + image: nginx + securityContext: + capabilities: + drop: + - ALL +--- +apiVersion: batch/v1 +kind: CronJob +metadata: + name: badcronjob10 +spec: + schedule: "*/1 * * * *" + jobTemplate: + spec: + template: + spec: + restartPolicy: OnFailure + initContainers: + - name: initcontainer01 + image: nginx + securityContext: + capabilities: + drop: + - NET_RAW + - name: initcontainer02 + image: nginx + securityContext: + capabilities: + drop: + - ALL + containers: + - name: container01 + image: nginx + securityContext: + capabilities: + drop: + - ALL +--- +###################################### +## Rule: adding-capabilities-strict ## +###################################### +###### Pods - Bad +--- +apiVersion: v1 +kind: Pod +metadata: + name: addcap-badpod01 +spec: + containers: + - name: container01 + image: nginx + securityContext: + capabilities: + add: + - CHOWN +--- +apiVersion: v1 +kind: Pod +metadata: + name: addcap-badpod02 +spec: + containers: + - name: container01 + image: nginx + securityContext: + capabilities: + add: + - CHOWN + - NET_BIND_SERVICE +--- +apiVersion: v1 +kind: Pod +metadata: + name: addcap-badpod03 +spec: + containers: + - name: container01 + image: nginx + - name: container02 + image: nginx + securityContext: + capabilities: + add: + - CHOWN +--- +apiVersion: v1 +kind: Pod +metadata: + name: addcap-badpod04 +spec: + containers: + - name: container01 + image: nginx + securityContext: + capabilities: + add: + - NET_BIND_SERVICE + - name: container02 + image: nginx + securityContext: + capabilities: + add: + - CHOWN +--- +apiVersion: v1 +kind: Pod +metadata: + name: addcap-badpod05 +spec: + containers: + - name: container01 + image: nginx + securityContext: + capabilities: + add: + - NET_BIND_SERVICE + - name: container02 + image: nginx + securityContext: + capabilities: + add: + - CHOWN + - NET_BIND_SERVICE +--- +apiVersion: v1 +kind: Pod +metadata: + name: addcap-badpod06 +spec: + initContainers: + - name: initcontainer01 + image: nginx + securityContext: + capabilities: + add: + - CHOWN + containers: + - name: container01 + image: nginx +--- +apiVersion: v1 +kind: Pod +metadata: + name: addcap-badpod07 +spec: + initContainers: + - name: initcontainer01 + image: nginx + securityContext: + capabilities: + add: + - CHOWN + - NET_BIND_SERVICE + containers: + - name: container01 + image: nginx +--- +apiVersion: v1 +kind: Pod +metadata: + name: addcap-badpod08 +spec: + initContainers: + - name: initcontainer01 + image: nginx + - name: initcontainer02 + image: nginx + securityContext: + capabilities: + add: + - CHOWN + containers: + - name: container01 + image: nginx +--- +apiVersion: v1 +kind: Pod +metadata: + name: addcap-badpod09 +spec: + initContainers: + - name: initcontainer01 + image: nginx + securityContext: + capabilities: + add: + - NET_BIND_SERVICE + - name: initcontainer02 + image: nginx + securityContext: + capabilities: + add: + - CHOWN + containers: + - name: container01 + image: nginx +--- +apiVersion: v1 +kind: Pod +metadata: + name: addcap-badpod10 +spec: + initContainers: + - name: initcontainer01 + image: nginx + securityContext: + capabilities: + add: + - NET_BIND_SERVICE + - name: initcontainer02 + image: nginx + securityContext: + capabilities: + add: + - CHOWN + - NET_BIND_SERVICE + containers: + - name: container01 + image: nginx +--- +###### Deployments - Bad +apiVersion: apps/v1 +kind: Deployment +metadata: + name: addcap-baddeployment01 +spec: + replicas: 1 + selector: + matchLabels: + app: app + template: + metadata: + labels: + app: app + spec: + containers: + - name: container01 + image: nginx + securityContext: + capabilities: + add: + - CHOWN +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: addcap-baddeployment02 +spec: + replicas: 1 + selector: + matchLabels: + app: app + template: + metadata: + labels: + app: app + spec: + containers: + - name: container01 + image: nginx + securityContext: + capabilities: + add: + - CHOWN + - NET_BIND_SERVICE +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: addcap-baddeployment03 +spec: + replicas: 1 + selector: + matchLabels: + app: app + template: + metadata: + labels: + app: app + spec: + containers: + - name: container01 + image: nginx + - name: container02 + image: nginx + securityContext: + capabilities: + add: + - CHOWN +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: addcap-baddeployment04 +spec: + replicas: 1 + selector: + matchLabels: + app: app + template: + metadata: + labels: + app: app + spec: + containers: + - name: container01 + image: nginx + securityContext: + capabilities: + add: + - NET_BIND_SERVICE + - name: container02 + image: nginx + securityContext: + capabilities: + add: + - CHOWN +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: addcap-baddeployment05 +spec: + replicas: 1 + selector: + matchLabels: + app: app + template: + metadata: + labels: + app: app + spec: + containers: + - name: container01 + image: nginx + securityContext: + capabilities: + add: + - NET_BIND_SERVICE + - name: container02 + image: nginx + securityContext: + capabilities: + add: + - CHOWN + - NET_BIND_SERVICE +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: addcap-baddeployment06 +spec: + replicas: 1 + selector: + matchLabels: + app: app + template: + metadata: + labels: + app: app + spec: + initContainers: + - name: initcontainer01 + image: nginx + securityContext: + capabilities: + add: + - CHOWN + containers: + - name: container01 + image: nginx +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: addcap-baddeployment07 +spec: + replicas: 1 + selector: + matchLabels: + app: app + template: + metadata: + labels: + app: app + spec: + initContainers: + - name: initcontainer01 + image: nginx + securityContext: + capabilities: + add: + - CHOWN + - NET_BIND_SERVICE + containers: + - name: container01 + image: nginx +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: addcap-baddeployment08 +spec: + replicas: 1 + selector: + matchLabels: + app: app + template: + metadata: + labels: + app: app + spec: + initContainers: + - name: initcontainer01 + image: nginx + - name: initcontainer02 + image: nginx + securityContext: + capabilities: + add: + - CHOWN + containers: + - name: container01 + image: nginx +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: addcap-baddeployment09 +spec: + replicas: 1 + selector: + matchLabels: + app: app + template: + metadata: + labels: + app: app + spec: + initContainers: + - name: initcontainer01 + image: nginx + securityContext: + capabilities: + add: + - NET_BIND_SERVICE + - name: initcontainer02 + image: nginx + securityContext: + capabilities: + add: + - CHOWN + containers: + - name: container01 + image: nginx +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: addcap-baddeployment10 +spec: + replicas: 1 + selector: + matchLabels: + app: app + template: + metadata: + labels: + app: app + spec: + initContainers: + - name: initcontainer01 + image: nginx + securityContext: + capabilities: + add: + - NET_BIND_SERVICE + - name: initcontainer02 + image: nginx + securityContext: + capabilities: + add: + - CHOWN + - NET_BIND_SERVICE + containers: + - name: container01 + image: nginx +--- +###### CronJobs - Bad +apiVersion: batch/v1 +kind: CronJob +metadata: + name: addcap-badcronjob01 +spec: + schedule: "*/1 * * * *" + jobTemplate: + spec: + template: + spec: + restartPolicy: OnFailure + containers: + - name: container01 + image: nginx + securityContext: + capabilities: + add: + - CHOWN +--- +apiVersion: batch/v1 +kind: CronJob +metadata: + name: addcap-badcronjob02 +spec: + schedule: "*/1 * * * *" + jobTemplate: + spec: + template: + spec: + restartPolicy: OnFailure + containers: + - name: container01 + image: nginx + securityContext: + capabilities: + add: + - CHOWN + - NET_BIND_SERVICE +--- +apiVersion: batch/v1 +kind: CronJob +metadata: + name: addcap-badcronjob03 +spec: + schedule: "*/1 * * * *" + jobTemplate: + spec: + template: + spec: + restartPolicy: OnFailure + containers: + - name: container01 + image: nginx + - name: container02 + image: nginx + securityContext: + capabilities: + add: + - CHOWN +--- +apiVersion: batch/v1 +kind: CronJob +metadata: + name: addcap-badcronjob04 +spec: + schedule: "*/1 * * * *" + jobTemplate: + spec: + template: + spec: + restartPolicy: OnFailure + containers: + - name: container01 + image: nginx + securityContext: + capabilities: + add: + - NET_BIND_SERVICE + - name: container02 + image: nginx + securityContext: + capabilities: + add: + - CHOWN +--- +apiVersion: batch/v1 +kind: CronJob +metadata: + name: addcap-badcronjob05 +spec: + schedule: "*/1 * * * *" + jobTemplate: + spec: + template: + spec: + restartPolicy: OnFailure + containers: + - name: container01 + image: nginx + securityContext: + capabilities: + add: + - NET_BIND_SERVICE + - name: container02 + image: nginx + securityContext: + capabilities: + add: + - CHOWN + - NET_BIND_SERVICE +--- +apiVersion: batch/v1 +kind: CronJob +metadata: + name: addcap-badcronjob06 +spec: + schedule: "*/1 * * * *" + jobTemplate: + spec: + template: + spec: + restartPolicy: OnFailure + initContainers: + - name: initcontainer01 + image: nginx + securityContext: + capabilities: + add: + - CHOWN + containers: + - name: container01 + image: nginx +--- +apiVersion: batch/v1 +kind: CronJob +metadata: + name: addcap-badcronjob07 +spec: + schedule: "*/1 * * * *" + jobTemplate: + spec: + template: + spec: + restartPolicy: OnFailure + initContainers: + - name: initcontainer01 + image: nginx + securityContext: + capabilities: + add: + - CHOWN + - NET_BIND_SERVICE + containers: + - name: container01 + image: nginx +--- +apiVersion: batch/v1 +kind: CronJob +metadata: + name: addcap-badcronjob08 +spec: + schedule: "*/1 * * * *" + jobTemplate: + spec: + template: + spec: + restartPolicy: OnFailure + initContainers: + - name: initcontainer01 + image: nginx + - name: initcontainer02 + image: nginx + securityContext: + capabilities: + add: + - CHOWN + containers: + - name: container01 + image: nginx +--- +apiVersion: batch/v1 +kind: CronJob +metadata: + name: addcap-badcronjob09 +spec: + schedule: "*/1 * * * *" + jobTemplate: + spec: + template: + spec: + restartPolicy: OnFailure + initContainers: + - name: initcontainer01 + image: nginx + securityContext: + capabilities: + add: + - NET_BIND_SERVICE + - name: initcontainer02 + image: nginx + securityContext: + capabilities: + add: + - CHOWN + containers: + - name: container01 + image: nginx +--- +apiVersion: batch/v1 +kind: CronJob +metadata: + name: addcap-badcronjob10 +spec: + schedule: "*/1 * * * *" + jobTemplate: + spec: + template: + spec: + restartPolicy: OnFailure + initContainers: + - name: initcontainer01 + image: nginx + securityContext: + capabilities: + add: + - NET_BIND_SERVICE + - name: initcontainer02 + image: nginx + securityContext: + capabilities: + add: + - CHOWN + - NET_BIND_SERVICE + containers: + - name: container01 + image: nginx diff --git a/pod-security/restricted/disallow-capabilities-strict/e2e/chainsaw-test.yaml b/pod-security/restricted/disallow-capabilities-strict/e2e/chainsaw-test.yaml new file mode 100644 index 00000000..626dae0c --- /dev/null +++ b/pod-security/restricted/disallow-capabilities-strict/e2e/chainsaw-test.yaml @@ -0,0 +1,44 @@ +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: Test +metadata: + name: disallow-capabilities-strict-policy +spec: + steps: + - name: test-disallow-capabilities-strict + try: + - apply: + file: ../disallow-capabilities-strict.yaml + - assert: + file: policy-assert.yaml + - apply: + file: ../remediate-disallow-capabilities-strict.yaml + - assert: + file: remediation-policy-assert.yaml + - apply: + file: ../deployment.yaml + - sleep: + duration: 20s + - assert: + resource: + apiVersion: wgpolicyk8s.io/v1alpha2 + kind: PolicyReport + summary: + error: 0 + fail: 0 + - delete: + ref: + apiVersion: kyverno.io/v1 + kind: ClusterPolicy + name: remediate-capabilities-strict + - script: + content: | + sed 's/validationFailureAction: Audit/validationFailureAction: Enforce/' ../disallow-capabilities-strict.yaml | kubectl apply -f - + - assert: + file: enforce-policy-assert.yaml + - apply: + file: good-resource.yaml + - apply: + expect: + - check: + ($error != null): true + file: bad-resource.yaml diff --git a/best-practices/disallow-empty-ingress-host/e2e/03-enforce-policy-assert.yaml b/pod-security/restricted/disallow-capabilities-strict/e2e/enforce-policy-assert.yaml similarity index 75% rename from best-practices/disallow-empty-ingress-host/e2e/03-enforce-policy-assert.yaml rename to pod-security/restricted/disallow-capabilities-strict/e2e/enforce-policy-assert.yaml index 5fdc0d37..c0d4298b 100644 --- a/best-practices/disallow-empty-ingress-host/e2e/03-enforce-policy-assert.yaml +++ b/pod-security/restricted/disallow-capabilities-strict/e2e/enforce-policy-assert.yaml @@ -1,11 +1,11 @@ apiVersion: kyverno.io/v1 kind: ClusterPolicy metadata: - name: disallow-empty-ingress-host + name: disallow-capabilities-strict spec: validationFailureAction: Enforce status: conditions: - reason: Succeeded status: "True" - type: Ready + type: Ready \ No newline at end of file diff --git a/pod-security/restricted/disallow-capabilities-strict/e2e/good-resource.yaml b/pod-security/restricted/disallow-capabilities-strict/e2e/good-resource.yaml new file mode 100644 index 00000000..4c75887f --- /dev/null +++ b/pod-security/restricted/disallow-capabilities-strict/e2e/good-resource.yaml @@ -0,0 +1,434 @@ +############################ +## Rule: require-drop-all ## +############################ +###### Pods - Good +apiVersion: v1 +kind: Pod +metadata: + name: goodpod01 +spec: + containers: + - name: container01 + image: nginx + securityContext: + capabilities: + drop: + - ALL +--- +apiVersion: v1 +kind: Pod +metadata: + name: goodpod02 +spec: + containers: + - name: container01 + image: nginx + securityContext: + capabilities: + drop: + - NET_RAW + - ALL +--- +apiVersion: v1 +kind: Pod +metadata: + name: goodpod03 +spec: + containers: + - name: container01 + image: nginx + securityContext: + capabilities: + drop: + - ALL + - name: container02 + image: nginx + securityContext: + capabilities: + drop: + - ALL +--- +apiVersion: v1 +kind: Pod +metadata: + name: goodpod04 +spec: + initContainers: + - name: initcontainer01 + image: nginx + securityContext: + capabilities: + drop: + - ALL + containers: + - name: container01 + image: nginx + securityContext: + capabilities: + drop: + - ALL +--- +apiVersion: v1 +kind: Pod +metadata: + name: goodpod05 +spec: + initContainers: + - name: initcontainer01 + image: nginx + securityContext: + capabilities: + drop: + - NET_RAW + - ALL + containers: + - name: container01 + image: nginx + securityContext: + capabilities: + drop: + - ALL +--- +apiVersion: v1 +kind: Pod +metadata: + name: goodpod06 +spec: + initContainers: + - name: initcontainer01 + image: nginx + securityContext: + capabilities: + drop: + - ALL + - name: initcontainer02 + image: nginx + securityContext: + capabilities: + drop: + - ALL + containers: + - name: container01 + image: nginx + securityContext: + capabilities: + drop: + - ALL +--- +###### Deployments - Good +apiVersion: apps/v1 +kind: Deployment +metadata: + name: gooddeployment01 +spec: + replicas: 1 + selector: + matchLabels: + app: app + template: + metadata: + labels: + app: app + spec: + containers: + - name: container01 + image: nginx + securityContext: + capabilities: + drop: + - ALL +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: gooddeployment02 +spec: + replicas: 1 + selector: + matchLabels: + app: app + template: + metadata: + labels: + app: app + spec: + containers: + - name: container01 + image: nginx + securityContext: + capabilities: + drop: + - NET_RAW + - ALL +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: gooddeployment03 +spec: + replicas: 1 + selector: + matchLabels: + app: app + template: + metadata: + labels: + app: app + spec: + containers: + - name: container01 + image: nginx + securityContext: + capabilities: + drop: + - ALL + - name: container02 + image: nginx + securityContext: + capabilities: + drop: + - ALL +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: gooddeployment04 +spec: + replicas: 1 + selector: + matchLabels: + app: app + template: + metadata: + labels: + app: app + spec: + initContainers: + - name: initcontainer01 + image: nginx + securityContext: + capabilities: + drop: + - ALL + containers: + - name: container01 + image: nginx + securityContext: + capabilities: + drop: + - ALL +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: gooddeployment05 +spec: + replicas: 1 + selector: + matchLabels: + app: app + template: + metadata: + labels: + app: app + spec: + initContainers: + - name: initcontainer01 + image: nginx + securityContext: + capabilities: + drop: + - NET_RAW + - ALL + containers: + - name: container01 + image: nginx + securityContext: + capabilities: + drop: + - ALL +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: gooddeployment06 +spec: + replicas: 1 + selector: + matchLabels: + app: app + template: + metadata: + labels: + app: app + spec: + initContainers: + - name: initcontainer01 + image: nginx + securityContext: + capabilities: + drop: + - ALL + - name: initcontainer02 + image: nginx + securityContext: + capabilities: + drop: + - ALL + containers: + - name: container01 + image: nginx + securityContext: + capabilities: + drop: + - ALL +--- +###### CronJobs - Good +apiVersion: batch/v1 +kind: CronJob +metadata: + name: goodcronjob01 +spec: + schedule: "*/1 * * * *" + jobTemplate: + spec: + template: + spec: + restartPolicy: OnFailure + containers: + - name: container01 + image: nginx + securityContext: + capabilities: + drop: + - ALL +--- +apiVersion: batch/v1 +kind: CronJob +metadata: + name: goodcronjob02 +spec: + schedule: "*/1 * * * *" + jobTemplate: + spec: + template: + spec: + restartPolicy: OnFailure + containers: + - name: container01 + image: nginx + securityContext: + capabilities: + drop: + - NET_RAW + - ALL +--- +apiVersion: batch/v1 +kind: CronJob +metadata: + name: goodcronjob03 +spec: + schedule: "*/1 * * * *" + jobTemplate: + spec: + template: + spec: + restartPolicy: OnFailure + containers: + - name: container01 + image: nginx + securityContext: + capabilities: + drop: + - ALL + - name: container02 + image: nginx + securityContext: + capabilities: + drop: + - ALL +--- +apiVersion: batch/v1 +kind: CronJob +metadata: + name: goodcronjob04 +spec: + schedule: "*/1 * * * *" + jobTemplate: + spec: + template: + spec: + restartPolicy: OnFailure + initContainers: + - name: initcontainer01 + image: nginx + securityContext: + capabilities: + drop: + - ALL + containers: + - name: container01 + image: nginx + securityContext: + capabilities: + drop: + - ALL +--- +apiVersion: batch/v1 +kind: CronJob +metadata: + name: goodcronjob05 +spec: + schedule: "*/1 * * * *" + jobTemplate: + spec: + template: + spec: + restartPolicy: OnFailure + initContainers: + - name: initcontainer01 + image: nginx + securityContext: + capabilities: + drop: + - NET_RAW + - ALL + containers: + - name: container01 + image: nginx + securityContext: + capabilities: + drop: + - ALL +--- +apiVersion: batch/v1 +kind: CronJob +metadata: + name: goodcronjob06 +spec: + schedule: "*/1 * * * *" + jobTemplate: + spec: + template: + spec: + restartPolicy: OnFailure + initContainers: + - name: initcontainer01 + image: nginx + securityContext: + capabilities: + drop: + - ALL + - name: initcontainer02 + image: nginx + securityContext: + capabilities: + drop: + - ALL + containers: + - name: container01 + image: nginx + securityContext: + capabilities: + drop: + - ALL diff --git a/pod-security/restricted/disallow-capabilities-strict/e2e/policy-assert.yaml b/pod-security/restricted/disallow-capabilities-strict/e2e/policy-assert.yaml new file mode 100644 index 00000000..a45eed18 --- /dev/null +++ b/pod-security/restricted/disallow-capabilities-strict/e2e/policy-assert.yaml @@ -0,0 +1,11 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: disallow-capabilities-strict +spec: + validationFailureAction: Audit +status: + conditions: + - reason: Succeeded + status: "True" + type: Ready diff --git a/pod-security/restricted/disallow-capabilities-strict/e2e/remediation-policy-assert.yaml b/pod-security/restricted/disallow-capabilities-strict/e2e/remediation-policy-assert.yaml new file mode 100644 index 00000000..6ec61a32 --- /dev/null +++ b/pod-security/restricted/disallow-capabilities-strict/e2e/remediation-policy-assert.yaml @@ -0,0 +1,11 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: remediate-capabilities-strict +spec: + validationFailureAction: Audit +status: + conditions: + - reason: Succeeded + status: "True" + type: Ready diff --git a/pod-security/restricted/disallow-privilege-escalation/e2e/bad-resource.yaml b/pod-security/restricted/disallow-privilege-escalation/e2e/bad-resource.yaml new file mode 100644 index 00000000..81585785 --- /dev/null +++ b/pod-security/restricted/disallow-privilege-escalation/e2e/bad-resource.yaml @@ -0,0 +1,333 @@ +###### Pods - Bad +--- +apiVersion: v1 +kind: Pod +metadata: + name: badpod01 +spec: + containers: + - name: container01 + image: nginx +--- +apiVersion: v1 +kind: Pod +metadata: + name: badpod02 +spec: + containers: + - name: container01 + image: nginx + securityContext: + allowPrivilegeEscalation: true +--- +apiVersion: v1 +kind: Pod +metadata: + name: badpod03 +spec: + containers: + - name: container01 + image: nginx + - name: container02 + image: nginx + securityContext: + allowPrivilegeEscalation: false +--- +apiVersion: v1 +kind: Pod +metadata: + name: badpod04 +spec: + containers: + - name: container01 + image: nginx + securityContext: + allowPrivilegeEscalation: true + - name: container02 + image: nginx + securityContext: + allowPrivilegeEscalation: false +--- +apiVersion: v1 +kind: Pod +metadata: + name: badpod05 +spec: + initContainers: + - name: initcontainer01 + image: nginx + containers: + - name: container01 + image: nginx + securityContext: + allowPrivilegeEscalation: false +--- +apiVersion: v1 +kind: Pod +metadata: + name: badpod06 +spec: + initContainers: + - name: initcontainer01 + image: nginx + - name: initcontainer02 + image: nginx + securityContext: + allowPrivilegeEscalation: true + containers: + - name: container01 + image: nginx + securityContext: + allowPrivilegeEscalation: false +--- +###### Deployments - Bad +apiVersion: apps/v1 +kind: Deployment +metadata: + name: baddeployment01 +spec: + replicas: 1 + selector: + matchLabels: + app: app + template: + metadata: + labels: + app: app + spec: + containers: + - name: container01 + image: nginx +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: baddeployment02 +spec: + replicas: 1 + selector: + matchLabels: + app: app + template: + metadata: + labels: + app: app + spec: + containers: + - name: container01 + image: nginx + securityContext: + allowPrivilegeEscalation: true +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: baddeployment03 +spec: + replicas: 1 + selector: + matchLabels: + app: app + template: + metadata: + labels: + app: app + spec: + containers: + - name: container01 + image: nginx + - name: container02 + image: nginx + securityContext: + allowPrivilegeEscalation: false +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: baddeployment04 +spec: + replicas: 1 + selector: + matchLabels: + app: app + template: + metadata: + labels: + app: app + spec: + containers: + - name: container01 + image: nginx + securityContext: + allowPrivilegeEscalation: true + - name: container02 + image: nginx + securityContext: + allowPrivilegeEscalation: false +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: baddeployment05 +spec: + replicas: 1 + selector: + matchLabels: + app: app + template: + metadata: + labels: + app: app + spec: + initContainers: + - name: initcontainer01 + image: nginx + containers: + - name: container01 + image: nginx + securityContext: + allowPrivilegeEscalation: false +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: baddeployment06 +spec: + replicas: 1 + selector: + matchLabels: + app: app + template: + metadata: + labels: + app: app + spec: + initContainers: + - name: initcontainer01 + image: nginx + - name: initcontainer02 + image: nginx + securityContext: + allowPrivilegeEscalation: true + containers: + - name: container01 + image: nginx + securityContext: + allowPrivilegeEscalation: false +--- +###### CronJobs - Bad +apiVersion: batch/v1 +kind: CronJob +metadata: + name: badcronjob01 +spec: + schedule: "*/1 * * * *" + jobTemplate: + spec: + template: + spec: + restartPolicy: OnFailure + containers: + - name: container01 + image: nginx +--- +apiVersion: batch/v1 +kind: CronJob +metadata: + name: badcronjob02 +spec: + schedule: "*/1 * * * *" + jobTemplate: + spec: + template: + spec: + restartPolicy: OnFailure + containers: + - name: container01 + image: nginx + securityContext: + allowPrivilegeEscalation: true +--- +apiVersion: batch/v1 +kind: CronJob +metadata: + name: badcronjob03 +spec: + schedule: "*/1 * * * *" + jobTemplate: + spec: + template: + spec: + restartPolicy: OnFailure + containers: + - name: container01 + image: nginx + - name: container02 + image: nginx + securityContext: + allowPrivilegeEscalation: false +--- +apiVersion: batch/v1 +kind: CronJob +metadata: + name: badcronjob04 +spec: + schedule: "*/1 * * * *" + jobTemplate: + spec: + template: + spec: + restartPolicy: OnFailure + containers: + - name: container01 + image: nginx + securityContext: + allowPrivilegeEscalation: true + - name: container02 + image: nginx + securityContext: + allowPrivilegeEscalation: false +--- +apiVersion: batch/v1 +kind: CronJob +metadata: + name: badcronjob05 +spec: + schedule: "*/1 * * * *" + jobTemplate: + spec: + template: + spec: + restartPolicy: OnFailure + initContainers: + - name: initcontainer01 + image: nginx + containers: + - name: container01 + image: nginx + securityContext: + allowPrivilegeEscalation: false +--- +apiVersion: batch/v1 +kind: CronJob +metadata: + name: badcronjob06 +spec: + schedule: "*/1 * * * *" + jobTemplate: + spec: + template: + spec: + restartPolicy: OnFailure + initContainers: + - name: initcontainer01 + image: nginx + - name: initcontainer02 + image: nginx + securityContext: + allowPrivilegeEscalation: true + containers: + - name: container01 + image: nginx + securityContext: + allowPrivilegeEscalation: false diff --git a/pod-security/restricted/disallow-privilege-escalation/e2e/chainsaw-test.yaml b/pod-security/restricted/disallow-privilege-escalation/e2e/chainsaw-test.yaml new file mode 100644 index 00000000..8ece2195 --- /dev/null +++ b/pod-security/restricted/disallow-privilege-escalation/e2e/chainsaw-test.yaml @@ -0,0 +1,44 @@ +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: Test +metadata: + name: disallow-privilege-escalation-policy +spec: + steps: + - name: test-disallow-privilege-escalation + try: + - apply: + file: ../disallow-privilege-escalation.yaml + - assert: + file: policy-assert.yaml + - apply: + file: ../remediate-disallow-privilege-escalation.yaml + - assert: + file: remediation-policy-assert.yaml + - apply: + file: ../deployment.yaml + - sleep: + duration: 20s + - assert: + resource: + apiVersion: wgpolicyk8s.io/v1alpha2 + kind: PolicyReport + summary: + error: 0 + fail: 0 + - delete: + ref: + apiVersion: kyverno.io/v1 + kind: ClusterPolicy + name: remediate-disallow-privilege-escalation + - script: + content: | + sed 's/validationFailureAction: Audit/validationFailureAction: Enforce/' ../disallow-privilege-escalation.yaml | kubectl apply -f - + - assert: + file: enforce-policy-assert.yaml + - apply: + file: good-resource.yaml + - apply: + expect: + - check: + ($error != null): true + file: bad-resource.yaml diff --git a/pod-security/restricted/disallow-privilege-escalation/e2e/enforce-policy-assert.yaml b/pod-security/restricted/disallow-privilege-escalation/e2e/enforce-policy-assert.yaml new file mode 100644 index 00000000..cda2b356 --- /dev/null +++ b/pod-security/restricted/disallow-privilege-escalation/e2e/enforce-policy-assert.yaml @@ -0,0 +1,11 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: disallow-privilege-escalation +spec: + validationFailureAction: Enforce +status: + conditions: + - reason: Succeeded + status: "True" + type: Ready \ No newline at end of file diff --git a/pod-security/restricted/disallow-privilege-escalation/e2e/good-resource.yaml b/pod-security/restricted/disallow-privilege-escalation/e2e/good-resource.yaml new file mode 100644 index 00000000..d0c323a9 --- /dev/null +++ b/pod-security/restricted/disallow-privilege-escalation/e2e/good-resource.yaml @@ -0,0 +1,335 @@ +###### Pods - Good +apiVersion: v1 +kind: Pod +metadata: + name: goodpod01 +spec: + containers: + - name: container01 + image: nginx + securityContext: + allowPrivilegeEscalation: false +--- +apiVersion: v1 +kind: Pod +metadata: + name: goodpod02 +spec: + containers: + - name: container01 + image: nginx + securityContext: + allowPrivilegeEscalation: false + - name: container02 + image: nginx + securityContext: + allowPrivilegeEscalation: false +--- +apiVersion: v1 +kind: Pod +metadata: + name: goodpod03 +spec: + initContainers: + - name: initcontainer01 + image: nginx + securityContext: + allowPrivilegeEscalation: false + containers: + - name: container01 + image: nginx + securityContext: + allowPrivilegeEscalation: false +--- +apiVersion: v1 +kind: Pod +metadata: + name: goodpod04 +spec: + initContainers: + - name: initcontainer01 + image: nginx + securityContext: + allowPrivilegeEscalation: false + - name: initcontainer02 + image: nginx + securityContext: + allowPrivilegeEscalation: false + containers: + - name: container01 + image: nginx + securityContext: + allowPrivilegeEscalation: false +--- +apiVersion: v1 +kind: Pod +metadata: + name: goodpod05 +spec: + initContainers: + - name: initcontainer01 + image: nginx + securityContext: + allowPrivilegeEscalation: false + - name: initcontainer02 + image: nginx + securityContext: + allowPrivilegeEscalation: false + containers: + - name: container01 + image: nginx + securityContext: + allowPrivilegeEscalation: false + - name: container02 + image: nginx + securityContext: + allowPrivilegeEscalation: false +--- +###### Deployments - Good +apiVersion: apps/v1 +kind: Deployment +metadata: + name: gooddeployment01 +spec: + replicas: 1 + selector: + matchLabels: + app: app + template: + metadata: + labels: + app: app + spec: + containers: + - name: container01 + image: nginx + securityContext: + allowPrivilegeEscalation: false +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: gooddeployment02 +spec: + replicas: 1 + selector: + matchLabels: + app: app + template: + metadata: + labels: + app: app + spec: + containers: + - name: container01 + image: nginx + securityContext: + allowPrivilegeEscalation: false + - name: container02 + image: nginx + securityContext: + allowPrivilegeEscalation: false +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: gooddeployment03 +spec: + replicas: 1 + selector: + matchLabels: + app: app + template: + metadata: + labels: + app: app + spec: + initContainers: + - name: initcontainer01 + image: nginx + securityContext: + allowPrivilegeEscalation: false + containers: + - name: container01 + image: nginx + securityContext: + allowPrivilegeEscalation: false +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: gooddeployment04 +spec: + replicas: 1 + selector: + matchLabels: + app: app + template: + metadata: + labels: + app: app + spec: + initContainers: + - name: initcontainer01 + image: nginx + securityContext: + allowPrivilegeEscalation: false + - name: initcontainer02 + image: nginx + securityContext: + allowPrivilegeEscalation: false + containers: + - name: container01 + image: nginx + securityContext: + allowPrivilegeEscalation: false +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: gooddeployment05 +spec: + replicas: 1 + selector: + matchLabels: + app: app + template: + metadata: + labels: + app: app + spec: + initContainers: + - name: initcontainer01 + image: nginx + securityContext: + allowPrivilegeEscalation: false + - name: initcontainer02 + image: nginx + securityContext: + allowPrivilegeEscalation: false + containers: + - name: container01 + image: nginx + securityContext: + allowPrivilegeEscalation: false + - name: container02 + image: nginx + securityContext: + allowPrivilegeEscalation: false +--- +###### CronJobs - Good +apiVersion: batch/v1 +kind: CronJob +metadata: + name: goodcronjob01 +spec: + schedule: "*/1 * * * *" + jobTemplate: + spec: + template: + spec: + restartPolicy: OnFailure + containers: + - name: container01 + image: nginx + securityContext: + allowPrivilegeEscalation: false +--- +apiVersion: batch/v1 +kind: CronJob +metadata: + name: goodcronjob02 +spec: + schedule: "*/1 * * * *" + jobTemplate: + spec: + template: + spec: + restartPolicy: OnFailure + containers: + - name: container01 + image: nginx + securityContext: + allowPrivilegeEscalation: false + - name: container02 + image: nginx + securityContext: + allowPrivilegeEscalation: false +--- +apiVersion: batch/v1 +kind: CronJob +metadata: + name: goodcronjob03 +spec: + schedule: "*/1 * * * *" + jobTemplate: + spec: + template: + spec: + restartPolicy: OnFailure + initContainers: + - name: initcontainer01 + image: nginx + securityContext: + allowPrivilegeEscalation: false + containers: + - name: container01 + image: nginx + securityContext: + allowPrivilegeEscalation: false +--- +apiVersion: batch/v1 +kind: CronJob +metadata: + name: goodcronjob04 +spec: + schedule: "*/1 * * * *" + jobTemplate: + spec: + template: + spec: + restartPolicy: OnFailure + initContainers: + - name: initcontainer01 + image: nginx + securityContext: + allowPrivilegeEscalation: false + - name: initcontainer02 + image: nginx + securityContext: + allowPrivilegeEscalation: false + containers: + - name: container01 + image: nginx + securityContext: + allowPrivilegeEscalation: false +--- +apiVersion: batch/v1 +kind: CronJob +metadata: + name: goodcronjob05 +spec: + schedule: "*/1 * * * *" + jobTemplate: + spec: + template: + spec: + restartPolicy: OnFailure + initContainers: + - name: initcontainer01 + image: nginx + securityContext: + allowPrivilegeEscalation: false + - name: initcontainer02 + image: nginx + securityContext: + allowPrivilegeEscalation: false + containers: + - name: container01 + image: nginx + securityContext: + allowPrivilegeEscalation: false + - name: container02 + image: nginx + securityContext: + allowPrivilegeEscalation: false diff --git a/pod-security/restricted/disallow-privilege-escalation/e2e/policy-assert.yaml b/pod-security/restricted/disallow-privilege-escalation/e2e/policy-assert.yaml new file mode 100644 index 00000000..282e13eb --- /dev/null +++ b/pod-security/restricted/disallow-privilege-escalation/e2e/policy-assert.yaml @@ -0,0 +1,11 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: disallow-privilege-escalation +spec: + validationFailureAction: Audit +status: + conditions: + - reason: Succeeded + status: "True" + type: Ready diff --git a/pod-security/restricted/disallow-privilege-escalation/e2e/remediation-policy-assert.yaml b/pod-security/restricted/disallow-privilege-escalation/e2e/remediation-policy-assert.yaml new file mode 100644 index 00000000..0a708da1 --- /dev/null +++ b/pod-security/restricted/disallow-privilege-escalation/e2e/remediation-policy-assert.yaml @@ -0,0 +1,11 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: remediate-disallow-privilege-escalation +spec: + validationFailureAction: Audit +status: + conditions: + - reason: Succeeded + status: "True" + type: Ready diff --git a/pod-security/restricted/disallow-privilege-escalation/remediate-disallow-privilege-escalation.yaml b/pod-security/restricted/disallow-privilege-escalation/remediate-disallow-privilege-escalation.yaml index d085adec..56cb903d 100644 --- a/pod-security/restricted/disallow-privilege-escalation/remediate-disallow-privilege-escalation.yaml +++ b/pod-security/restricted/disallow-privilege-escalation/remediate-disallow-privilege-escalation.yaml @@ -39,15 +39,12 @@ spec: containers: - (name): "{{ element.name }}" securityContext: - (allowPrivilegeEscalation): true allowPrivilegeEscalation: false initContainers: - (name): "{{ element.name }}" securityContext: - (allowPrivilegeEscalation): true allowPrivilegeEscalation: false ephemeralContainers: - (name): "{{ element.name }}" securityContext: - (allowPrivilegeEscalation): true - allowPrivilegeEscalation: false \ No newline at end of file + allowPrivilegeEscalation: false diff --git a/pod-security/restricted/require-run-as-non-root-user/e2e/bad-resource.yaml b/pod-security/restricted/require-run-as-non-root-user/e2e/bad-resource.yaml new file mode 100644 index 00000000..cc984731 --- /dev/null +++ b/pod-security/restricted/require-run-as-non-root-user/e2e/bad-resource.yaml @@ -0,0 +1,330 @@ +###### Pods - Bad +--- +apiVersion: v1 +kind: Pod +metadata: + name: badpod01 +spec: + containers: + - name: container01 + image: nginx + securityContext: + runAsUser: 0 +--- +apiVersion: v1 +kind: Pod +metadata: + name: badpod02 +spec: + containers: + - name: container01 + image: nginx + securityContext: + runAsUser: 0 +--- +apiVersion: v1 +kind: Pod +metadata: + name: badpod03 +spec: + containers: + - name: container01 + image: nginx + - name: container02 + image: nginx + securityContext: + runAsUser: 0 +--- +apiVersion: v1 +kind: Pod +metadata: + name: badpod04 +spec: + initContainers: + - name: initcontainer01 + image: nginx + containers: + - name: container01 + image: nginx + securityContext: + runAsUser: 0 +--- +apiVersion: v1 +kind: Pod +metadata: + name: badpod05 +spec: + initContainers: + - name: initcontainer01 + image: nginx + securityContext: + runAsUser: 0 + containers: + - name: container01 + image: nginx +--- +apiVersion: v1 +kind: Pod +metadata: + name: badpod06 +spec: + initContainers: + - name: initcontainer01 + image: nginx + - name: initcontainer02 + image: nginx + securityContext: + runAsUser: 0 + containers: + - name: container01 + image: nginx +--- +###### Deployments - Bad +apiVersion: apps/v1 +kind: Deployment +metadata: + name: baddeployment01 +spec: + replicas: 1 + selector: + matchLabels: + app: app + template: + metadata: + labels: + app: app + spec: + containers: + - name: container01 + image: nginx + securityContext: + runAsUser: 0 +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: baddeployment02 +spec: + replicas: 1 + selector: + matchLabels: + app: app + template: + metadata: + labels: + app: app + spec: + containers: + - name: container01 + image: nginx + securityContext: + runAsUser: 0 +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: baddeployment03 +spec: + replicas: 1 + selector: + matchLabels: + app: app + template: + metadata: + labels: + app: app + spec: + containers: + - name: container01 + image: nginx + - name: container02 + image: nginx + securityContext: + runAsUser: 0 +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: baddeployment04 +spec: + replicas: 1 + selector: + matchLabels: + app: app + template: + metadata: + labels: + app: app + spec: + initContainers: + - name: initcontainer01 + image: nginx + containers: + - name: container01 + image: nginx + securityContext: + runAsUser: 0 +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: baddeployment05 +spec: + replicas: 1 + selector: + matchLabels: + app: app + template: + metadata: + labels: + app: app + spec: + initContainers: + - name: initcontainer01 + image: nginx + securityContext: + runAsUser: 0 + containers: + - name: container01 + image: nginx +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: baddeployment06 +spec: + replicas: 1 + selector: + matchLabels: + app: app + template: + metadata: + labels: + app: app + spec: + initContainers: + - name: initcontainer01 + image: nginx + - name: initcontainer02 + image: nginx + securityContext: + runAsUser: 0 + containers: + - name: container01 + image: nginx +--- +###### CronJobs - Bad +apiVersion: batch/v1 +kind: CronJob +metadata: + name: badcronjob01 +spec: + schedule: "*/1 * * * *" + jobTemplate: + spec: + template: + spec: + restartPolicy: OnFailure + containers: + - name: container01 + image: nginx + securityContext: + runAsUser: 0 +--- +apiVersion: batch/v1 +kind: CronJob +metadata: + name: badcronjob02 +spec: + schedule: "*/1 * * * *" + jobTemplate: + spec: + template: + spec: + restartPolicy: OnFailure + containers: + - name: container01 + image: nginx + securityContext: + runAsUser: 0 +--- +apiVersion: batch/v1 +kind: CronJob +metadata: + name: badcronjob03 +spec: + schedule: "*/1 * * * *" + jobTemplate: + spec: + template: + spec: + restartPolicy: OnFailure + containers: + - name: container01 + image: nginx + - name: container02 + image: nginx + securityContext: + runAsUser: 0 +--- +apiVersion: batch/v1 +kind: CronJob +metadata: + name: badcronjob04 +spec: + schedule: "*/1 * * * *" + jobTemplate: + spec: + template: + spec: + restartPolicy: OnFailure + initContainers: + - name: initcontainer01 + image: nginx + containers: + - name: container01 + image: nginx + securityContext: + runAsUser: 0 +--- +apiVersion: batch/v1 +kind: CronJob +metadata: + name: badcronjob05 +spec: + schedule: "*/1 * * * *" + jobTemplate: + spec: + template: + spec: + restartPolicy: OnFailure + initContainers: + - name: initcontainer01 + image: nginx + securityContext: + runAsUser: 0 + containers: + - name: container01 + image: nginx +--- +apiVersion: batch/v1 +kind: CronJob +metadata: + name: badcronjob06 +spec: + schedule: "*/1 * * * *" + jobTemplate: + spec: + template: + spec: + restartPolicy: OnFailure + initContainers: + - name: initcontainer01 + image: nginx + - name: initcontainer02 + image: nginx + securityContext: + runAsUser: 0 + containers: + - name: container01 + image: nginx diff --git a/pod-security/restricted/require-run-as-non-root-user/e2e/chainsaw-test.yaml b/pod-security/restricted/require-run-as-non-root-user/e2e/chainsaw-test.yaml new file mode 100644 index 00000000..51669bd7 --- /dev/null +++ b/pod-security/restricted/require-run-as-non-root-user/e2e/chainsaw-test.yaml @@ -0,0 +1,24 @@ +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: Test +metadata: + name: require-run-as-non-root-user-policy +spec: + steps: + - name: test-require-run-as-non-root-user + try: + - apply: + file: ../require-run-as-non-root-user.yaml + - assert: + file: policy-assert.yaml + - script: + content: | + sed 's/validationFailureAction: Audit/validationFailureAction: Enforce/' ../require-run-as-non-root-user.yaml | kubectl apply -f - + - assert: + file: enforce-policy-assert.yaml + - apply: + file: good-resource.yaml + - apply: + expect: + - check: + ($error != null): true + file: bad-resource.yaml diff --git a/pod-security/restricted/require-run-as-non-root-user/e2e/enforce-policy-assert.yaml b/pod-security/restricted/require-run-as-non-root-user/e2e/enforce-policy-assert.yaml new file mode 100644 index 00000000..d49a7b37 --- /dev/null +++ b/pod-security/restricted/require-run-as-non-root-user/e2e/enforce-policy-assert.yaml @@ -0,0 +1,11 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: require-run-as-non-root-user +spec: + validationFailureAction: Enforce +status: + conditions: + - reason: Succeeded + status: "True" + type: Ready \ No newline at end of file diff --git a/pod-security/restricted/require-run-as-non-root-user/e2e/good-resource.yaml b/pod-security/restricted/require-run-as-non-root-user/e2e/good-resource.yaml new file mode 100644 index 00000000..0a27353e --- /dev/null +++ b/pod-security/restricted/require-run-as-non-root-user/e2e/good-resource.yaml @@ -0,0 +1,548 @@ +###### Pods - Good +apiVersion: v1 +kind: Pod +metadata: + name: goodpod01 +spec: + containers: + - name: container01 + image: nginx +--- +apiVersion: v1 +kind: Pod +metadata: + name: goodpod02 +spec: + containers: + - name: container01 + image: nginx + securityContext: + runAsUser: 1 +--- +apiVersion: v1 +kind: Pod +metadata: + name: goodpod03 +spec: + containers: + - name: container01 + image: nginx + securityContext: + runAsUser: 1 +--- +apiVersion: v1 +kind: Pod +metadata: + name: goodpod04 +spec: + containers: + - name: container01 + image: nginx + - name: container02 + image: nginx + securityContext: + runAsUser: 1 +--- +apiVersion: v1 +kind: Pod +metadata: + name: goodpod05 +spec: + containers: + - name: container01 + image: nginx + securityContext: + runAsUser: 1 + - name: container02 + image: nginx + securityContext: + runAsUser: 2 +--- +apiVersion: v1 +kind: Pod +metadata: + name: goodpod06 +spec: + containers: + - name: container01 + image: nginx + securityContext: + runAsUser: 1 + - name: container02 + image: nginx + securityContext: + runAsUser: 2 + securityContext: + runAsUser: 10 +--- +apiVersion: v1 +kind: Pod +metadata: + name: goodpod07 +spec: + initContainers: + - name: initcontainer01 + image: nginx + containers: + - name: container01 + image: nginx +--- +apiVersion: v1 +kind: Pod +metadata: + name: goodpod08 +spec: + initContainers: + - name: initcontainer01 + image: nginx + securityContext: + runAsUser: 1 + containers: + - name: container01 + image: nginx +--- +apiVersion: v1 +kind: Pod +metadata: + name: goodpod09 +spec: + initContainers: + - name: initcontainer01 + image: nginx + containers: + - name: container01 + image: nginx + securityContext: + runAsUser: 1 +--- +apiVersion: v1 +kind: Pod +metadata: + name: goodpod10 +spec: + initContainers: + - name: initcontainer01 + image: nginx + - name: initcontainer02 + image: nginx + securityContext: + runAsUser: 1 + containers: + - name: container01 + image: nginx +--- +###### Deployments - Good +apiVersion: apps/v1 +kind: Deployment +metadata: + name: gooddeployment01 +spec: + replicas: 1 + selector: + matchLabels: + app: app + template: + metadata: + labels: + app: app + spec: + containers: + - name: container01 + image: nginx +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: gooddeployment02 +spec: + replicas: 1 + selector: + matchLabels: + app: app + template: + metadata: + labels: + app: app + spec: + containers: + - name: container01 + image: nginx + securityContext: + runAsUser: 1 +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: gooddeployment03 +spec: + replicas: 1 + selector: + matchLabels: + app: app + template: + metadata: + labels: + app: app + spec: + containers: + - name: container01 + image: nginx + securityContext: + runAsUser: 1 +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: gooddeployment04 +spec: + replicas: 1 + selector: + matchLabels: + app: app + template: + metadata: + labels: + app: app + spec: + containers: + - name: container01 + image: nginx + - name: container02 + image: nginx + securityContext: + runAsUser: 1 +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: gooddeployment05 +spec: + replicas: 1 + selector: + matchLabels: + app: app + template: + metadata: + labels: + app: app + spec: + containers: + - name: container01 + image: nginx + securityContext: + runAsUser: 1 + - name: container02 + image: nginx + securityContext: + runAsUser: 2 +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: gooddeployment06 +spec: + replicas: 1 + selector: + matchLabels: + app: app + template: + metadata: + labels: + app: app + spec: + containers: + - name: container01 + image: nginx + securityContext: + runAsUser: 1 + - name: container02 + image: nginx + securityContext: + runAsUser: 2 + securityContext: + runAsUser: 10 +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: gooddeployment07 +spec: + replicas: 1 + selector: + matchLabels: + app: app + template: + metadata: + labels: + app: app + spec: + initContainers: + - name: initcontainer01 + image: nginx + containers: + - name: container01 + image: nginx +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: gooddeployment08 +spec: + replicas: 1 + selector: + matchLabels: + app: app + template: + metadata: + labels: + app: app + spec: + initContainers: + - name: initcontainer01 + image: nginx + securityContext: + runAsUser: 1 + containers: + - name: container01 + image: nginx +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: gooddeployment09 +spec: + replicas: 1 + selector: + matchLabels: + app: app + template: + metadata: + labels: + app: app + spec: + initContainers: + - name: initcontainer01 + image: nginx + containers: + - name: container01 + image: nginx + securityContext: + runAsUser: 1 +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: gooddeployment10 +spec: + replicas: 1 + selector: + matchLabels: + app: app + template: + metadata: + labels: + app: app + spec: + initContainers: + - name: initcontainer01 + image: nginx + - name: initcontainer02 + image: nginx + securityContext: + runAsUser: 1 + containers: + - name: container01 + image: nginx +--- +###### CronJobs - Good +apiVersion: batch/v1 +kind: CronJob +metadata: + name: goodcronjob01 +spec: + schedule: "*/1 * * * *" + jobTemplate: + spec: + template: + spec: + restartPolicy: OnFailure + containers: + - name: container01 + image: nginx +--- +apiVersion: batch/v1 +kind: CronJob +metadata: + name: goodcronjob02 +spec: + schedule: "*/1 * * * *" + jobTemplate: + spec: + template: + spec: + restartPolicy: OnFailure + containers: + - name: container01 + image: nginx + securityContext: + runAsUser: 1 +--- +apiVersion: batch/v1 +kind: CronJob +metadata: + name: goodcronjob03 +spec: + schedule: "*/1 * * * *" + jobTemplate: + spec: + template: + spec: + restartPolicy: OnFailure + containers: + - name: container01 + image: nginx + securityContext: + runAsUser: 1 +--- +apiVersion: batch/v1 +kind: CronJob +metadata: + name: goodcronjob04 +spec: + schedule: "*/1 * * * *" + jobTemplate: + spec: + template: + spec: + restartPolicy: OnFailure + containers: + - name: container01 + image: nginx + - name: container02 + image: nginx + securityContext: + runAsUser: 1 +--- +apiVersion: batch/v1 +kind: CronJob +metadata: + name: goodcronjob05 +spec: + schedule: "*/1 * * * *" + jobTemplate: + spec: + template: + spec: + restartPolicy: OnFailure + containers: + - name: container01 + image: nginx + securityContext: + runAsUser: 1 + - name: container02 + image: nginx + securityContext: + runAsUser: 2 +--- +apiVersion: batch/v1 +kind: CronJob +metadata: + name: goodcronjob06 +spec: + schedule: "*/1 * * * *" + jobTemplate: + spec: + template: + spec: + restartPolicy: OnFailure + containers: + - name: container01 + image: nginx + securityContext: + runAsUser: 1 + - name: container02 + image: nginx + securityContext: + runAsUser: 2 + securityContext: + runAsUser: 10 +--- +apiVersion: batch/v1 +kind: CronJob +metadata: + name: goodcronjob07 +spec: + schedule: "*/1 * * * *" + jobTemplate: + spec: + template: + spec: + restartPolicy: OnFailure + initContainers: + - name: initcontainer01 + image: nginx + containers: + - name: container01 + image: nginx +--- +apiVersion: batch/v1 +kind: CronJob +metadata: + name: goodcronjob08 +spec: + schedule: "*/1 * * * *" + jobTemplate: + spec: + template: + spec: + restartPolicy: OnFailure + initContainers: + - name: initcontainer01 + image: nginx + securityContext: + runAsUser: 1 + containers: + - name: container01 + image: nginx +--- +apiVersion: batch/v1 +kind: CronJob +metadata: + name: goodcronjob09 +spec: + schedule: "*/1 * * * *" + jobTemplate: + spec: + template: + spec: + restartPolicy: OnFailure + initContainers: + - name: initcontainer01 + image: nginx + containers: + - name: container01 + image: nginx + securityContext: + runAsUser: 1 +--- +apiVersion: batch/v1 +kind: CronJob +metadata: + name: goodcronjob10 +spec: + schedule: "*/1 * * * *" + jobTemplate: + spec: + template: + spec: + restartPolicy: OnFailure + initContainers: + - name: initcontainer01 + image: nginx + - name: initcontainer02 + image: nginx + securityContext: + runAsUser: 1 + containers: + - name: container01 + image: nginx diff --git a/pod-security/restricted/require-run-as-non-root-user/e2e/policy-assert.yaml b/pod-security/restricted/require-run-as-non-root-user/e2e/policy-assert.yaml new file mode 100644 index 00000000..81d34d24 --- /dev/null +++ b/pod-security/restricted/require-run-as-non-root-user/e2e/policy-assert.yaml @@ -0,0 +1,11 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: require-run-as-non-root-user +spec: + validationFailureAction: Audit +status: + conditions: + - reason: Succeeded + status: "True" + type: Ready diff --git a/pod-security/restricted/require-run-as-nonroot/e2e/bad-resource.yaml b/pod-security/restricted/require-run-as-nonroot/e2e/bad-resource.yaml new file mode 100644 index 00000000..6a270780 --- /dev/null +++ b/pod-security/restricted/require-run-as-nonroot/e2e/bad-resource.yaml @@ -0,0 +1,867 @@ +###### Pods - Bad +--- +apiVersion: v1 +kind: Pod +metadata: + name: badpod01 +spec: + containers: + - name: container01 + image: nginx +--- +apiVersion: v1 +kind: Pod +metadata: + name: badpod02 +spec: + containers: + - name: container01 + image: nginx + securityContext: + runAsNonRoot: false +--- +apiVersion: v1 +kind: Pod +metadata: + name: badpod03 +spec: + containers: + - name: container01 + image: nginx + securityContext: + runAsNonRoot: false +--- +apiVersion: v1 +kind: Pod +metadata: + name: badpod04 +spec: + containers: + - name: container01 + image: nginx + securityContext: + runAsNonRoot: false + securityContext: + runAsNonRoot: true +--- +apiVersion: v1 +kind: Pod +metadata: + name: badpod05 +spec: + containers: + - name: container01 + image: nginx + - name: container02 + image: nginx +--- +apiVersion: v1 +kind: Pod +metadata: + name: badpod06 +spec: + containers: + - name: container01 + image: nginx + - name: container02 + image: nginx + securityContext: + runAsNonRoot: false +--- +apiVersion: v1 +kind: Pod +metadata: + name: badpod07 +spec: + containers: + - name: container01 + image: nginx + - name: container02 + image: nginx + securityContext: + runAsNonRoot: false +--- +apiVersion: v1 +kind: Pod +metadata: + name: badpod08 +spec: + containers: + - name: container01 + image: nginx + - name: container02 + image: nginx + securityContext: + runAsNonRoot: false + securityContext: + runAsNonRoot: true +--- +apiVersion: v1 +kind: Pod +metadata: + name: badpod09 +spec: + containers: + - name: container01 + image: nginx + securityContext: + runAsNonRoot: true + - name: container02 + image: nginx + securityContext: + runAsNonRoot: false + securityContext: + runAsNonRoot: true +--- +apiVersion: v1 +kind: Pod +metadata: + name: badpod10 +spec: + initContainers: + - name: initcontainer01 + image: nginx + securityContext: + runAsNonRoot: false + containers: + - name: container01 + image: nginx + securityContext: + runAsNonRoot: true +--- +apiVersion: v1 +kind: Pod +metadata: + name: badpod11 +spec: + initContainers: + - name: initcontainer01 + image: nginx + containers: + - name: container01 + image: nginx + securityContext: + runAsNonRoot: true + securityContext: + runAsNonRoot: false +--- +apiVersion: v1 +kind: Pod +metadata: + name: badpod12 +spec: + initContainers: + - name: initcontainer01 + image: nginx + securityContext: + runAsNonRoot: false + containers: + - name: container01 + image: nginx + securityContext: + runAsNonRoot: true + securityContext: + runAsNonRoot: true +--- +apiVersion: v1 +kind: Pod +metadata: + name: badpod13 +spec: + initContainers: + - name: initcontainer01 + image: nginx + - name: initcontainer02 + image: nginx + containers: + - name: container01 + image: nginx + securityContext: + runAsNonRoot: true +--- +apiVersion: v1 +kind: Pod +metadata: + name: badpod14 +spec: + initContainers: + - name: initcontainer01 + image: nginx + - name: initcontainer02 + image: nginx + securityContext: + runAsNonRoot: false + containers: + - name: container01 + image: nginx + securityContext: + runAsNonRoot: true +--- +apiVersion: v1 +kind: Pod +metadata: + name: badpod15 +spec: + initContainers: + - name: initcontainer01 + image: nginx + - name: initcontainer02 + image: nginx + containers: + - name: container01 + image: nginx + securityContext: + runAsNonRoot: false +--- +###### Deployments - Bad +apiVersion: apps/v1 +kind: Deployment +metadata: + name: baddeployment01 +spec: + replicas: 1 + selector: + matchLabels: + app: app + template: + metadata: + labels: + app: app + spec: + containers: + - name: container01 + image: nginx +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: baddeployment02 +spec: + replicas: 1 + selector: + matchLabels: + app: app + template: + metadata: + labels: + app: app + spec: + containers: + - name: container01 + image: nginx + securityContext: + runAsNonRoot: false +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: baddeployment03 +spec: + replicas: 1 + selector: + matchLabels: + app: app + template: + metadata: + labels: + app: app + spec: + containers: + - name: container01 + image: nginx + securityContext: + runAsNonRoot: false +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: baddeployment04 +spec: + replicas: 1 + selector: + matchLabels: + app: app + template: + metadata: + labels: + app: app + spec: + containers: + - name: container01 + image: nginx + securityContext: + runAsNonRoot: false + securityContext: + runAsNonRoot: true +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: baddeployment05 +spec: + replicas: 1 + selector: + matchLabels: + app: app + template: + metadata: + labels: + app: app + spec: + containers: + - name: container01 + image: nginx + - name: container02 + image: nginx +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: baddeployment06 +spec: + replicas: 1 + selector: + matchLabels: + app: app + template: + metadata: + labels: + app: app + spec: + containers: + - name: container01 + image: nginx + - name: container02 + image: nginx + securityContext: + runAsNonRoot: false +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: baddeployment07 +spec: + replicas: 1 + selector: + matchLabels: + app: app + template: + metadata: + labels: + app: app + spec: + containers: + - name: container01 + image: nginx + - name: container02 + image: nginx + securityContext: + runAsNonRoot: false +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: baddeployment08 +spec: + replicas: 1 + selector: + matchLabels: + app: app + template: + metadata: + labels: + app: app + spec: + containers: + - name: container01 + image: nginx + - name: container02 + image: nginx + securityContext: + runAsNonRoot: false + securityContext: + runAsNonRoot: true +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: baddeployment09 +spec: + replicas: 1 + selector: + matchLabels: + app: app + template: + metadata: + labels: + app: app + spec: + containers: + - name: container01 + image: nginx + securityContext: + runAsNonRoot: true + - name: container02 + image: nginx + securityContext: + runAsNonRoot: false + securityContext: + runAsNonRoot: true +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: baddeployment10 +spec: + replicas: 1 + selector: + matchLabels: + app: app + template: + metadata: + labels: + app: app + spec: + initContainers: + - name: initcontainer01 + image: nginx + securityContext: + runAsNonRoot: false + containers: + - name: container01 + image: nginx + securityContext: + runAsNonRoot: true +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: baddeployment11 +spec: + replicas: 1 + selector: + matchLabels: + app: app + template: + metadata: + labels: + app: app + spec: + initContainers: + - name: initcontainer01 + image: nginx + containers: + - name: container01 + image: nginx + securityContext: + runAsNonRoot: true + securityContext: + runAsNonRoot: false +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: baddeployment12 +spec: + replicas: 1 + selector: + matchLabels: + app: app + template: + metadata: + labels: + app: app + spec: + initContainers: + - name: initcontainer01 + image: nginx + securityContext: + runAsNonRoot: false + containers: + - name: container01 + image: nginx + securityContext: + runAsNonRoot: true + securityContext: + runAsNonRoot: true +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: baddeployment13 +spec: + replicas: 1 + selector: + matchLabels: + app: app + template: + metadata: + labels: + app: app + spec: + initContainers: + - name: initcontainer01 + image: nginx + - name: initcontainer02 + image: nginx + containers: + - name: container01 + image: nginx + securityContext: + runAsNonRoot: true +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: baddeployment14 +spec: + replicas: 1 + selector: + matchLabels: + app: app + template: + metadata: + labels: + app: app + spec: + initContainers: + - name: initcontainer01 + image: nginx + - name: initcontainer02 + image: nginx + securityContext: + runAsNonRoot: false + containers: + - name: container01 + image: nginx + securityContext: + runAsNonRoot: true +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: baddeployment15 +spec: + replicas: 1 + selector: + matchLabels: + app: app + template: + metadata: + labels: + app: app + spec: + initContainers: + - name: initcontainer01 + image: nginx + - name: initcontainer02 + image: nginx + containers: + - name: container01 + image: nginx + securityContext: + runAsNonRoot: false +--- +###### CronJobs - Bad +apiVersion: batch/v1 +kind: CronJob +metadata: + name: badcronjob01 +spec: + schedule: "*/1 * * * *" + jobTemplate: + spec: + template: + spec: + restartPolicy: OnFailure + containers: + - name: container01 + image: nginx +--- +apiVersion: batch/v1 +kind: CronJob +metadata: + name: badcronjob02 +spec: + schedule: "*/1 * * * *" + jobTemplate: + spec: + template: + spec: + restartPolicy: OnFailure + containers: + - name: container01 + image: nginx + securityContext: + runAsNonRoot: false +--- +apiVersion: batch/v1 +kind: CronJob +metadata: + name: badcronjob03 +spec: + schedule: "*/1 * * * *" + jobTemplate: + spec: + template: + spec: + restartPolicy: OnFailure + containers: + - name: container01 + image: nginx + securityContext: + runAsNonRoot: false +--- +apiVersion: batch/v1 +kind: CronJob +metadata: + name: badcronjob04 +spec: + schedule: "*/1 * * * *" + jobTemplate: + spec: + template: + spec: + restartPolicy: OnFailure + containers: + - name: container01 + image: nginx + securityContext: + runAsNonRoot: false + securityContext: + runAsNonRoot: true +--- +apiVersion: batch/v1 +kind: CronJob +metadata: + name: badcronjob05 +spec: + schedule: "*/1 * * * *" + jobTemplate: + spec: + template: + spec: + restartPolicy: OnFailure + containers: + - name: container01 + image: nginx + - name: container02 + image: nginx +--- +apiVersion: batch/v1 +kind: CronJob +metadata: + name: badcronjob06 +spec: + schedule: "*/1 * * * *" + jobTemplate: + spec: + template: + spec: + restartPolicy: OnFailure + containers: + - name: container01 + image: nginx + - name: container02 + image: nginx + securityContext: + runAsNonRoot: false +--- +apiVersion: batch/v1 +kind: CronJob +metadata: + name: badcronjob07 +spec: + schedule: "*/1 * * * *" + jobTemplate: + spec: + template: + spec: + restartPolicy: OnFailure + containers: + - name: container01 + image: nginx + - name: container02 + image: nginx + securityContext: + runAsNonRoot: false +--- +apiVersion: batch/v1 +kind: CronJob +metadata: + name: badcronjob08 +spec: + schedule: "*/1 * * * *" + jobTemplate: + spec: + template: + spec: + restartPolicy: OnFailure + containers: + - name: container01 + image: nginx + - name: container02 + image: nginx + securityContext: + runAsNonRoot: false + securityContext: + runAsNonRoot: true +--- +apiVersion: batch/v1 +kind: CronJob +metadata: + name: badcronjob09 +spec: + schedule: "*/1 * * * *" + jobTemplate: + spec: + template: + spec: + restartPolicy: OnFailure + containers: + - name: container01 + image: nginx + securityContext: + runAsNonRoot: true + - name: container02 + image: nginx + securityContext: + runAsNonRoot: false + securityContext: + runAsNonRoot: true +--- +apiVersion: batch/v1 +kind: CronJob +metadata: + name: badcronjob10 +spec: + schedule: "*/1 * * * *" + jobTemplate: + spec: + template: + spec: + restartPolicy: OnFailure + initContainers: + - name: initcontainer01 + image: nginx + securityContext: + runAsNonRoot: false + containers: + - name: container01 + image: nginx + securityContext: + runAsNonRoot: true +--- +apiVersion: batch/v1 +kind: CronJob +metadata: + name: badcronjob11 +spec: + schedule: "*/1 * * * *" + jobTemplate: + spec: + template: + spec: + restartPolicy: OnFailure + initContainers: + - name: initcontainer01 + image: nginx + containers: + - name: container01 + image: nginx + securityContext: + runAsNonRoot: true + securityContext: + runAsNonRoot: false +--- +apiVersion: batch/v1 +kind: CronJob +metadata: + name: badcronjob12 +spec: + schedule: "*/1 * * * *" + jobTemplate: + spec: + template: + spec: + restartPolicy: OnFailure + initContainers: + - name: initcontainer01 + image: nginx + securityContext: + runAsNonRoot: false + containers: + - name: container01 + image: nginx + securityContext: + runAsNonRoot: true + securityContext: + runAsNonRoot: true +--- +apiVersion: batch/v1 +kind: CronJob +metadata: + name: badcronjob13 +spec: + schedule: "*/1 * * * *" + jobTemplate: + spec: + template: + spec: + restartPolicy: OnFailure + initContainers: + - name: initcontainer01 + image: nginx + - name: initcontainer02 + image: nginx + containers: + - name: container01 + image: nginx + securityContext: + runAsNonRoot: true +--- +apiVersion: batch/v1 +kind: CronJob +metadata: + name: badcronjob14 +spec: + schedule: "*/1 * * * *" + jobTemplate: + spec: + template: + spec: + restartPolicy: OnFailure + initContainers: + - name: initcontainer01 + image: nginx + - name: initcontainer02 + image: nginx + securityContext: + runAsNonRoot: false + containers: + - name: container01 + image: nginx + securityContext: + runAsNonRoot: true +--- +apiVersion: batch/v1 +kind: CronJob +metadata: + name: badcronjob15 +spec: + schedule: "*/1 * * * *" + jobTemplate: + spec: + template: + spec: + restartPolicy: OnFailure + initContainers: + - name: initcontainer01 + image: nginx + - name: initcontainer02 + image: nginx + containers: + - name: container01 + image: nginx + securityContext: + runAsNonRoot: false diff --git a/pod-security/restricted/require-run-as-nonroot/e2e/chainsaw-test.yaml b/pod-security/restricted/require-run-as-nonroot/e2e/chainsaw-test.yaml new file mode 100644 index 00000000..7d7b019c --- /dev/null +++ b/pod-security/restricted/require-run-as-nonroot/e2e/chainsaw-test.yaml @@ -0,0 +1,44 @@ +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: Test +metadata: + name: require-run-as-nonroot-policy +spec: + steps: + - name: test-require-run-as-nonroot + try: + - apply: + file: ../require-run-as-nonroot.yaml + - assert: + file: policy-assert.yaml + - apply: + file: ../remediate-require-run-as-nonroot.yaml + - assert: + file: remediation-policy-assert.yaml + - apply: + file: ../deployment.yaml + - sleep: + duration: 20s + - assert: + resource: + apiVersion: wgpolicyk8s.io/v1alpha2 + kind: PolicyReport + summary: + error: 0 + fail: 0 + - delete: + ref: + apiVersion: kyverno.io/v1 + kind: ClusterPolicy + name: remediate-require-run-as-nonroot + - script: + content: | + sed 's/validationFailureAction: Audit/validationFailureAction: Enforce/' ../require-run-as-nonroot.yaml | kubectl apply -f - + - assert: + file: enforce-policy-assert.yaml + - apply: + file: good-resource.yaml + - apply: + expect: + - check: + ($error != null): true + file: bad-resource.yaml diff --git a/best-practices/require_drop_all/e2e/03-enforce-policy-assert.yaml b/pod-security/restricted/require-run-as-nonroot/e2e/enforce-policy-assert.yaml similarity index 77% rename from best-practices/require_drop_all/e2e/03-enforce-policy-assert.yaml rename to pod-security/restricted/require-run-as-nonroot/e2e/enforce-policy-assert.yaml index 7ce4d08e..871322e8 100644 --- a/best-practices/require_drop_all/e2e/03-enforce-policy-assert.yaml +++ b/pod-security/restricted/require-run-as-nonroot/e2e/enforce-policy-assert.yaml @@ -1,11 +1,11 @@ apiVersion: kyverno.io/v1 kind: ClusterPolicy metadata: - name: drop-all-capabilities + name: require-run-as-nonroot spec: validationFailureAction: Enforce status: conditions: - reason: Succeeded status: "True" - type: Ready + type: Ready \ No newline at end of file diff --git a/pod-security/restricted/require-run-as-nonroot/e2e/good-resource.yaml b/pod-security/restricted/require-run-as-nonroot/e2e/good-resource.yaml new file mode 100644 index 00000000..1714f597 --- /dev/null +++ b/pod-security/restricted/require-run-as-nonroot/e2e/good-resource.yaml @@ -0,0 +1,593 @@ +###### Pods - Good +apiVersion: v1 +kind: Pod +metadata: + name: goodpod01 +spec: + containers: + - name: container01 + image: nginx + securityContext: + runAsNonRoot: true +--- +apiVersion: v1 +kind: Pod +metadata: + name: goodpod02 +spec: + containers: + - name: container01 + image: nginx + securityContext: + runAsNonRoot: true +--- +apiVersion: v1 +kind: Pod +metadata: + name: goodpod03 +spec: + containers: + - name: container01 + image: nginx + securityContext: + runAsNonRoot: true + securityContext: + runAsNonRoot: true +--- +apiVersion: v1 +kind: Pod +metadata: + name: goodpod04 +spec: + containers: + - name: container01 + image: nginx + - name: container02 + image: nginx + securityContext: + runAsNonRoot: true +--- +apiVersion: v1 +kind: Pod +metadata: + name: goodpod05 +spec: + containers: + - name: container01 + image: nginx + - name: container02 + image: nginx + securityContext: + runAsNonRoot: true + securityContext: + runAsNonRoot: true +--- +apiVersion: v1 +kind: Pod +metadata: + name: goodpod06 +spec: + initContainers: + - name: initcontainer01 + image: nginx + containers: + - name: container01 + image: nginx + securityContext: + runAsNonRoot: true +--- +apiVersion: v1 +kind: Pod +metadata: + name: goodpod07 +spec: + initContainers: + - name: initcontainer01 + image: nginx + securityContext: + runAsNonRoot: true + containers: + - name: container01 + image: nginx + securityContext: + runAsNonRoot: true +--- +apiVersion: v1 +kind: Pod +metadata: + name: goodpod08 +spec: + initContainers: + - name: initcontainer01 + image: nginx + securityContext: + runAsNonRoot: true + containers: + - name: container01 + image: nginx + securityContext: + runAsNonRoot: true +--- +apiVersion: v1 +kind: Pod +metadata: + name: goodpod09 +spec: + initContainers: + - name: initcontainer01 + image: nginx + securityContext: + runAsNonRoot: true + - name: initcontainer02 + image: nginx + containers: + - name: container01 + image: nginx + securityContext: + runAsNonRoot: true +--- +apiVersion: v1 +kind: Pod +metadata: + name: goodpod10 +spec: + initContainers: + - name: initcontainer01 + image: nginx + securityContext: + runAsNonRoot: true + - name: initcontainer02 + image: nginx + securityContext: + runAsNonRoot: true + containers: + - name: container01 + image: nginx + securityContext: + runAsNonRoot: true +--- +###### Deployments - Good +apiVersion: apps/v1 +kind: Deployment +metadata: + name: gooddeployment01 +spec: + replicas: 1 + selector: + matchLabels: + app: app + template: + metadata: + labels: + app: app + spec: + containers: + - name: container01 + image: nginx + securityContext: + runAsNonRoot: true +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: gooddeployment02 +spec: + replicas: 1 + selector: + matchLabels: + app: app + template: + metadata: + labels: + app: app + spec: + containers: + - name: container01 + image: nginx + securityContext: + runAsNonRoot: true +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: gooddeployment03 +spec: + replicas: 1 + selector: + matchLabels: + app: app + template: + metadata: + labels: + app: app + spec: + containers: + - name: container01 + image: nginx + securityContext: + runAsNonRoot: true + securityContext: + runAsNonRoot: true +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: gooddeployment04 +spec: + replicas: 1 + selector: + matchLabels: + app: app + template: + metadata: + labels: + app: app + spec: + containers: + - name: container01 + image: nginx + - name: container02 + image: nginx + securityContext: + runAsNonRoot: true +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: gooddeployment05 +spec: + replicas: 1 + selector: + matchLabels: + app: app + template: + metadata: + labels: + app: app + spec: + containers: + - name: container01 + image: nginx + - name: container02 + image: nginx + securityContext: + runAsNonRoot: true + securityContext: + runAsNonRoot: true +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: gooddeployment06 +spec: + replicas: 1 + selector: + matchLabels: + app: app + template: + metadata: + labels: + app: app + spec: + initContainers: + - name: initcontainer01 + image: nginx + containers: + - name: container01 + image: nginx + securityContext: + runAsNonRoot: true +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: gooddeployment07 +spec: + replicas: 1 + selector: + matchLabels: + app: app + template: + metadata: + labels: + app: app + spec: + initContainers: + - name: initcontainer01 + image: nginx + securityContext: + runAsNonRoot: true + containers: + - name: container01 + image: nginx + securityContext: + runAsNonRoot: true +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: gooddeployment08 +spec: + replicas: 1 + selector: + matchLabels: + app: app + template: + metadata: + labels: + app: app + spec: + initContainers: + - name: initcontainer01 + image: nginx + securityContext: + runAsNonRoot: true + containers: + - name: container01 + image: nginx + securityContext: + runAsNonRoot: true +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: gooddeployment09 +spec: + replicas: 1 + selector: + matchLabels: + app: app + template: + metadata: + labels: + app: app + spec: + initContainers: + - name: initcontainer01 + image: nginx + securityContext: + runAsNonRoot: true + - name: initcontainer02 + image: nginx + containers: + - name: container01 + image: nginx + securityContext: + runAsNonRoot: true +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: gooddeployment10 +spec: + replicas: 1 + selector: + matchLabels: + app: app + template: + metadata: + labels: + app: app + spec: + initContainers: + - name: initcontainer01 + image: nginx + securityContext: + runAsNonRoot: true + - name: initcontainer02 + image: nginx + securityContext: + runAsNonRoot: true + containers: + - name: container01 + image: nginx + securityContext: + runAsNonRoot: true +--- +###### CronJobs - Good +apiVersion: batch/v1 +kind: CronJob +metadata: + name: goodcronjob01 +spec: + schedule: "*/1 * * * *" + jobTemplate: + spec: + template: + spec: + restartPolicy: OnFailure + containers: + - name: container01 + image: nginx + securityContext: + runAsNonRoot: true +--- +apiVersion: batch/v1 +kind: CronJob +metadata: + name: goodcronjob02 +spec: + schedule: "*/1 * * * *" + jobTemplate: + spec: + template: + spec: + restartPolicy: OnFailure + containers: + - name: container01 + image: nginx + securityContext: + runAsNonRoot: true +--- +apiVersion: batch/v1 +kind: CronJob +metadata: + name: goodcronjob03 +spec: + schedule: "*/1 * * * *" + jobTemplate: + spec: + template: + spec: + restartPolicy: OnFailure + containers: + - name: container01 + image: nginx + securityContext: + runAsNonRoot: true + securityContext: + runAsNonRoot: true +--- +apiVersion: batch/v1 +kind: CronJob +metadata: + name: goodcronjob04 +spec: + schedule: "*/1 * * * *" + jobTemplate: + spec: + template: + spec: + restartPolicy: OnFailure + containers: + - name: container01 + image: nginx + - name: container02 + image: nginx + securityContext: + runAsNonRoot: true +--- +apiVersion: batch/v1 +kind: CronJob +metadata: + name: goodcronjob05 +spec: + schedule: "*/1 * * * *" + jobTemplate: + spec: + template: + spec: + restartPolicy: OnFailure + containers: + - name: container01 + image: nginx + - name: container02 + image: nginx + securityContext: + runAsNonRoot: true + securityContext: + runAsNonRoot: true +--- +apiVersion: batch/v1 +kind: CronJob +metadata: + name: goodcronjob06 +spec: + schedule: "*/1 * * * *" + jobTemplate: + spec: + template: + spec: + restartPolicy: OnFailure + initContainers: + - name: initcontainer01 + image: nginx + containers: + - name: container01 + image: nginx + securityContext: + runAsNonRoot: true +--- +apiVersion: batch/v1 +kind: CronJob +metadata: + name: goodcronjob07 +spec: + schedule: "*/1 * * * *" + jobTemplate: + spec: + template: + spec: + restartPolicy: OnFailure + initContainers: + - name: initcontainer01 + image: nginx + securityContext: + runAsNonRoot: true + containers: + - name: container01 + image: nginx + securityContext: + runAsNonRoot: true +--- +apiVersion: batch/v1 +kind: CronJob +metadata: + name: goodcronjob08 +spec: + schedule: "*/1 * * * *" + jobTemplate: + spec: + template: + spec: + restartPolicy: OnFailure + initContainers: + - name: initcontainer01 + image: nginx + securityContext: + runAsNonRoot: true + containers: + - name: container01 + image: nginx + securityContext: + runAsNonRoot: true +--- +apiVersion: batch/v1 +kind: CronJob +metadata: + name: goodcronjob09 +spec: + schedule: "*/1 * * * *" + jobTemplate: + spec: + template: + spec: + restartPolicy: OnFailure + initContainers: + - name: initcontainer01 + image: nginx + securityContext: + runAsNonRoot: true + - name: initcontainer02 + image: nginx + containers: + - name: container01 + image: nginx + securityContext: + runAsNonRoot: true +--- +apiVersion: batch/v1 +kind: CronJob +metadata: + name: goodcronjob10 +spec: + schedule: "*/1 * * * *" + jobTemplate: + spec: + template: + spec: + restartPolicy: OnFailure + initContainers: + - name: initcontainer01 + image: nginx + securityContext: + runAsNonRoot: true + - name: initcontainer02 + image: nginx + securityContext: + runAsNonRoot: true + containers: + - name: container01 + image: nginx + securityContext: + runAsNonRoot: true diff --git a/pod-security/restricted/require-run-as-nonroot/e2e/policy-assert.yaml b/pod-security/restricted/require-run-as-nonroot/e2e/policy-assert.yaml new file mode 100644 index 00000000..7af97483 --- /dev/null +++ b/pod-security/restricted/require-run-as-nonroot/e2e/policy-assert.yaml @@ -0,0 +1,11 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: require-run-as-nonroot +spec: + validationFailureAction: Audit +status: + conditions: + - reason: Succeeded + status: "True" + type: Ready diff --git a/pod-security/restricted/require-run-as-nonroot/e2e/remediation-policy-assert.yaml b/pod-security/restricted/require-run-as-nonroot/e2e/remediation-policy-assert.yaml new file mode 100644 index 00000000..46683013 --- /dev/null +++ b/pod-security/restricted/require-run-as-nonroot/e2e/remediation-policy-assert.yaml @@ -0,0 +1,11 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: remediate-require-run-as-nonroot +spec: + validationFailureAction: Audit +status: + conditions: + - reason: Succeeded + status: "True" + type: Ready diff --git a/pod-security/restricted/restrict-seccomp-strict/e2e/bad-resource.yaml b/pod-security/restricted/restrict-seccomp-strict/e2e/bad-resource.yaml new file mode 100644 index 00000000..31a744d0 --- /dev/null +++ b/pod-security/restricted/restrict-seccomp-strict/e2e/bad-resource.yaml @@ -0,0 +1,429 @@ +###### Pods - Bad +--- +apiVersion: v1 +kind: Pod +metadata: + name: badpod01 +spec: + containers: + - name: container01 + image: nginx + securityContext: + seccompProfile: + type: Unconfined +--- +apiVersion: v1 +kind: Pod +metadata: + name: badpod02 +spec: + containers: + - name: container01 + image: nginx + securityContext: + seccompProfile: + type: Unconfined +--- +apiVersion: v1 +kind: Pod +metadata: + name: badpod03 +spec: + containers: + - name: container01 + image: nginx + - name: container02 + image: nginx + securityContext: + seccompProfile: + type: Unconfined +--- +apiVersion: v1 +kind: Pod +metadata: + name: badpod04 +spec: + containers: + - name: container01 + image: nginx + securityContext: + seccompProfile: + type: RuntimeDefault + - name: container02 + image: nginx + securityContext: + seccompProfile: + type: Unconfined +--- +apiVersion: v1 +kind: Pod +metadata: + name: badpod05 +spec: + initContainers: + - name: initcontainer01 + image: nginx + securityContext: + seccompProfile: + type: Unconfined + containers: + - name: container01 + image: nginx +--- +apiVersion: v1 +kind: Pod +metadata: + name: badpod06 +spec: + initContainers: + - name: initcontainer01 + image: nginx + - name: initcontainer02 + image: nginx + securityContext: + seccompProfile: + type: Unconfined + containers: + - name: container01 + image: nginx +--- +apiVersion: v1 +kind: Pod +metadata: + name: badpod07 +spec: + initContainers: + - name: initcontainer01 + image: nginx + securityContext: + seccompProfile: + type: RuntimeDefault + - name: initcontainer02 + image: nginx + securityContext: + seccompProfile: + type: Unconfined + containers: + - name: container01 + image: nginx +--- +###### Deployments - Bad +apiVersion: apps/v1 +kind: Deployment +metadata: + name: baddeployment01 +spec: + replicas: 1 + selector: + matchLabels: + app: app + template: + metadata: + labels: + app: app + spec: + containers: + - name: container01 + image: nginx + securityContext: + seccompProfile: + type: Unconfined +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: baddeployment02 +spec: + replicas: 1 + selector: + matchLabels: + app: app + template: + metadata: + labels: + app: app + spec: + containers: + - name: container01 + image: nginx + securityContext: + seccompProfile: + type: Unconfined +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: baddeployment03 +spec: + replicas: 1 + selector: + matchLabels: + app: app + template: + metadata: + labels: + app: app + spec: + containers: + - name: container01 + image: nginx + - name: container02 + image: nginx + securityContext: + seccompProfile: + type: Unconfined +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: baddeployment04 +spec: + replicas: 1 + selector: + matchLabels: + app: app + template: + metadata: + labels: + app: app + spec: + containers: + - name: container01 + image: nginx + securityContext: + seccompProfile: + type: RuntimeDefault + - name: container02 + image: nginx + securityContext: + seccompProfile: + type: Unconfined +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: baddeployment05 +spec: + replicas: 1 + selector: + matchLabels: + app: app + template: + metadata: + labels: + app: app + spec: + initContainers: + - name: initcontainer01 + image: nginx + securityContext: + seccompProfile: + type: Unconfined + containers: + - name: container01 + image: nginx +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: baddeployment06 +spec: + replicas: 1 + selector: + matchLabels: + app: app + template: + metadata: + labels: + app: app + spec: + initContainers: + - name: initcontainer01 + image: nginx + - name: initcontainer02 + image: nginx + securityContext: + seccompProfile: + type: Unconfined + containers: + - name: container01 + image: nginx +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: baddeployment07 +spec: + replicas: 1 + selector: + matchLabels: + app: app + template: + metadata: + labels: + app: app + spec: + initContainers: + - name: initcontainer01 + image: nginx + securityContext: + seccompProfile: + type: RuntimeDefault + - name: initcontainer02 + image: nginx + securityContext: + seccompProfile: + type: Unconfined + containers: + - name: container01 + image: nginx +--- +###### CronJobs - Bad +apiVersion: batch/v1 +kind: CronJob +metadata: + name: badcronjob01 +spec: + schedule: "*/1 * * * *" + jobTemplate: + spec: + template: + spec: + restartPolicy: OnFailure + containers: + - name: container01 + image: nginx + securityContext: + seccompProfile: + type: Unconfined +--- +apiVersion: batch/v1 +kind: CronJob +metadata: + name: badcronjob02 +spec: + schedule: "*/1 * * * *" + jobTemplate: + spec: + template: + spec: + restartPolicy: OnFailure + containers: + - name: container01 + image: nginx + securityContext: + seccompProfile: + type: Unconfined +--- +apiVersion: batch/v1 +kind: CronJob +metadata: + name: badcronjob03 +spec: + schedule: "*/1 * * * *" + jobTemplate: + spec: + template: + spec: + restartPolicy: OnFailure + containers: + - name: container01 + image: nginx + - name: container02 + image: nginx + securityContext: + seccompProfile: + type: Unconfined +--- +apiVersion: batch/v1 +kind: CronJob +metadata: + name: badcronjob04 +spec: + schedule: "*/1 * * * *" + jobTemplate: + spec: + template: + spec: + restartPolicy: OnFailure + containers: + - name: container01 + image: nginx + securityContext: + seccompProfile: + type: RuntimeDefault + - name: container02 + image: nginx + securityContext: + seccompProfile: + type: Unconfined +--- +apiVersion: batch/v1 +kind: CronJob +metadata: + name: badcronjob05 +spec: + schedule: "*/1 * * * *" + jobTemplate: + spec: + template: + spec: + restartPolicy: OnFailure + initContainers: + - name: initcontainer01 + image: nginx + securityContext: + seccompProfile: + type: Unconfined + containers: + - name: container01 + image: nginx +--- +apiVersion: batch/v1 +kind: CronJob +metadata: + name: badcronjob06 +spec: + schedule: "*/1 * * * *" + jobTemplate: + spec: + template: + spec: + restartPolicy: OnFailure + initContainers: + - name: initcontainer01 + image: nginx + - name: initcontainer02 + image: nginx + securityContext: + seccompProfile: + type: Unconfined + containers: + - name: container01 + image: nginx +--- +apiVersion: batch/v1 +kind: CronJob +metadata: + name: badcronjob07 +spec: + schedule: "*/1 * * * *" + jobTemplate: + spec: + template: + spec: + restartPolicy: OnFailure + initContainers: + - name: initcontainer01 + image: nginx + securityContext: + seccompProfile: + type: RuntimeDefault + - name: initcontainer02 + image: nginx + securityContext: + seccompProfile: + type: Unconfined + containers: + - name: container01 + image: nginx diff --git a/pod-security/restricted/restrict-seccomp-strict/e2e/chainsaw-test.yaml b/pod-security/restricted/restrict-seccomp-strict/e2e/chainsaw-test.yaml new file mode 100644 index 00000000..d785a9a4 --- /dev/null +++ b/pod-security/restricted/restrict-seccomp-strict/e2e/chainsaw-test.yaml @@ -0,0 +1,24 @@ +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: Test +metadata: + name: restrict-seccomp-strict-policy +spec: + steps: + - name: test-restrict-seccomp-strict + try: + - apply: + file: ../restrict-seccomp-strict.yaml + - assert: + file: policy-assert.yaml + - script: + content: | + sed 's/validationFailureAction: Audit/validationFailureAction: Enforce/' ../restrict-seccomp-strict.yaml | kubectl apply -f - + - assert: + file: enforce-policy-assert.yaml + - apply: + file: good-resource.yaml + - apply: + expect: + - check: + ($error != null): true + file: bad-resource.yaml diff --git a/pod-security/restricted/restrict-seccomp-strict/e2e/enforce-policy-assert.yaml b/pod-security/restricted/restrict-seccomp-strict/e2e/enforce-policy-assert.yaml new file mode 100644 index 00000000..0983f7c8 --- /dev/null +++ b/pod-security/restricted/restrict-seccomp-strict/e2e/enforce-policy-assert.yaml @@ -0,0 +1,11 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: restrict-seccomp-strict +spec: + validationFailureAction: Enforce +status: + conditions: + - reason: Succeeded + status: "True" + type: Ready \ No newline at end of file diff --git a/pod-security/restricted/restrict-seccomp-strict/e2e/good-resource.yaml b/pod-security/restricted/restrict-seccomp-strict/e2e/good-resource.yaml new file mode 100644 index 00000000..242c8a47 --- /dev/null +++ b/pod-security/restricted/restrict-seccomp-strict/e2e/good-resource.yaml @@ -0,0 +1,653 @@ +###### Pods - Good +apiVersion: v1 +kind: Pod +metadata: + name: goodpod01 +spec: + containers: + - name: container01 + image: nginx + securityContext: + seccompProfile: + type: RuntimeDefault +--- +apiVersion: v1 +kind: Pod +metadata: + name: goodpod02 +spec: + containers: + - name: container01 + image: nginx + securityContext: + seccompProfile: + localhostProfile: operator/default/profile1.json + type: Localhost +--- +apiVersion: v1 +kind: Pod +metadata: + name: goodpod03 +spec: + containers: + - name: container01 + image: nginx + securityContext: + seccompProfile: + type: RuntimeDefault +--- +apiVersion: v1 +kind: Pod +metadata: + name: goodpod04 +spec: + containers: + - name: container01 + image: nginx + securityContext: + seccompProfile: + type: Localhost + localhostProfile: operator/default/profile1.json +--- +apiVersion: v1 +kind: Pod +metadata: + name: goodpod05 +spec: + containers: + - name: container01 + image: nginx + - name: container02 + image: nginx + securityContext: + seccompProfile: + type: RuntimeDefault + securityContext: + seccompProfile: + type: Localhost + localhostProfile: operator/default/profile1.json +--- +apiVersion: v1 +kind: Pod +metadata: + name: goodpod06 +spec: + containers: + - name: container01 + image: nginx + securityContext: + seccompProfile: + type: RuntimeDefault + - name: container02 + image: nginx + securityContext: + seccompProfile: + type: Localhost + localhostProfile: operator/default/profile1.json +--- +apiVersion: v1 +kind: Pod +metadata: + name: goodpod07 +spec: + initContainers: + - name: initcontainer01 + image: nginx + securityContext: + seccompProfile: + type: RuntimeDefault + containers: + - name: container01 + image: nginx + securityContext: + seccompProfile: + type: RuntimeDefault +--- +apiVersion: v1 +kind: Pod +metadata: + name: goodpod08 +spec: + initContainers: + - name: initcontainer01 + image: nginx + securityContext: + seccompProfile: + type: Localhost + localhostProfile: operator/default/profile1.json + containers: + - name: container01 + image: nginx + securityContext: + seccompProfile: + type: RuntimeDefault +--- +apiVersion: v1 +kind: Pod +metadata: + name: goodpod09 +spec: + initContainers: + - name: initcontainer01 + image: nginx + - name: initcontainer02 + image: nginx + securityContext: + seccompProfile: + type: RuntimeDefault + containers: + - name: container01 + image: nginx + securityContext: + seccompProfile: + type: RuntimeDefault +--- +apiVersion: v1 +kind: Pod +metadata: + name: goodpod10 +spec: + initContainers: + - name: initcontainer01 + image: nginx + securityContext: + seccompProfile: + type: Localhost + localhostProfile: operator/default/profile1.json + - name: initcontainer02 + image: nginx + securityContext: + seccompProfile: + type: RuntimeDefault + containers: + - name: container01 + image: nginx + securityContext: + seccompProfile: + type: RuntimeDefault +--- +###### Deployments - Good +apiVersion: apps/v1 +kind: Deployment +metadata: + name: gooddeployment01 +spec: + replicas: 1 + selector: + matchLabels: + app: app + template: + metadata: + labels: + app: app + spec: + containers: + - name: container01 + image: nginx + securityContext: + seccompProfile: + type: RuntimeDefault +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: gooddeployment02 +spec: + replicas: 1 + selector: + matchLabels: + app: app + template: + metadata: + labels: + app: app + spec: + containers: + - name: container01 + image: nginx + securityContext: + seccompProfile: + type: Localhost + localhostProfile: operator/default/profile1.json +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: gooddeployment03 +spec: + replicas: 1 + selector: + matchLabels: + app: app + template: + metadata: + labels: + app: app + spec: + containers: + - name: container01 + image: nginx + securityContext: + seccompProfile: + type: RuntimeDefault +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: gooddeployment04 +spec: + replicas: 1 + selector: + matchLabels: + app: app + template: + metadata: + labels: + app: app + spec: + containers: + - name: container01 + image: nginx + securityContext: + seccompProfile: + type: Localhost + localhostProfile: operator/default/profile1.json +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: gooddeployment05 +spec: + replicas: 1 + selector: + matchLabels: + app: app + template: + metadata: + labels: + app: app + spec: + containers: + - name: container01 + image: nginx + - name: container02 + image: nginx + securityContext: + seccompProfile: + type: RuntimeDefault + securityContext: + seccompProfile: + type: Localhost + localhostProfile: operator/default/profile1.json +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: gooddeployment06 +spec: + replicas: 1 + selector: + matchLabels: + app: app + template: + metadata: + labels: + app: app + spec: + containers: + - name: container01 + image: nginx + securityContext: + seccompProfile: + type: RuntimeDefault + - name: container02 + image: nginx + securityContext: + seccompProfile: + type: Localhost + localhostProfile: operator/default/profile1.json +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: gooddeployment07 +spec: + replicas: 1 + selector: + matchLabels: + app: app + template: + metadata: + labels: + app: app + spec: + initContainers: + - name: initcontainer01 + image: nginx + securityContext: + seccompProfile: + type: RuntimeDefault + containers: + - name: container01 + image: nginx + securityContext: + seccompProfile: + type: RuntimeDefault +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: gooddeployment08 +spec: + replicas: 1 + selector: + matchLabels: + app: app + template: + metadata: + labels: + app: app + spec: + initContainers: + - name: initcontainer01 + image: nginx + securityContext: + seccompProfile: + type: Localhost + localhostProfile: operator/default/profile1.json + containers: + - name: container01 + image: nginx + securityContext: + seccompProfile: + type: RuntimeDefault +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: gooddeployment09 +spec: + replicas: 1 + selector: + matchLabels: + app: app + template: + metadata: + labels: + app: app + spec: + initContainers: + - name: initcontainer01 + image: nginx + - name: initcontainer02 + image: nginx + securityContext: + seccompProfile: + type: RuntimeDefault + containers: + - name: container01 + image: nginx + securityContext: + seccompProfile: + type: RuntimeDefault +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: gooddeployment10 +spec: + replicas: 1 + selector: + matchLabels: + app: app + template: + metadata: + labels: + app: app + spec: + initContainers: + - name: initcontainer01 + image: nginx + securityContext: + seccompProfile: + type: Localhost + localhostProfile: operator/default/profile1.json + - name: initcontainer02 + image: nginx + securityContext: + seccompProfile: + type: RuntimeDefault + containers: + - name: container01 + image: nginx + securityContext: + seccompProfile: + type: RuntimeDefault +--- +###### CronJobs - Good +apiVersion: batch/v1 +kind: CronJob +metadata: + name: goodcronjob01 +spec: + schedule: "*/1 * * * *" + jobTemplate: + spec: + template: + spec: + restartPolicy: OnFailure + containers: + - name: container01 + image: nginx + securityContext: + seccompProfile: + type: RuntimeDefault +--- +apiVersion: batch/v1 +kind: CronJob +metadata: + name: goodcronjob02 +spec: + schedule: "*/1 * * * *" + jobTemplate: + spec: + template: + spec: + restartPolicy: OnFailure + containers: + - name: container01 + image: nginx + securityContext: + seccompProfile: + type: Localhost + localhostProfile: operator/default/profile1.json +--- +apiVersion: batch/v1 +kind: CronJob +metadata: + name: goodcronjob03 +spec: + schedule: "*/1 * * * *" + jobTemplate: + spec: + template: + spec: + restartPolicy: OnFailure + containers: + - name: container01 + image: nginx + securityContext: + seccompProfile: + type: RuntimeDefault +--- +apiVersion: batch/v1 +kind: CronJob +metadata: + name: goodcronjob04 +spec: + schedule: "*/1 * * * *" + jobTemplate: + spec: + template: + spec: + restartPolicy: OnFailure + containers: + - name: container01 + image: nginx + securityContext: + seccompProfile: + type: Localhost + localhostProfile: operator/default/profile1.json +--- +apiVersion: batch/v1 +kind: CronJob +metadata: + name: goodcronjob05 +spec: + schedule: "*/1 * * * *" + jobTemplate: + spec: + template: + spec: + restartPolicy: OnFailure + containers: + - name: container01 + image: nginx + - name: container02 + image: nginx + securityContext: + seccompProfile: + type: RuntimeDefault + securityContext: + seccompProfile: + type: Localhost + localhostProfile: operator/default/profile1.json +--- +apiVersion: batch/v1 +kind: CronJob +metadata: + name: goodcronjob06 +spec: + schedule: "*/1 * * * *" + jobTemplate: + spec: + template: + spec: + restartPolicy: OnFailure + containers: + - name: container01 + image: nginx + securityContext: + seccompProfile: + type: RuntimeDefault + - name: container02 + image: nginx + securityContext: + seccompProfile: + type: Localhost + localhostProfile: operator/default/profile1.json +--- +apiVersion: batch/v1 +kind: CronJob +metadata: + name: goodcronjob07 +spec: + schedule: "*/1 * * * *" + jobTemplate: + spec: + template: + spec: + restartPolicy: OnFailure + initContainers: + - name: initcontainer01 + image: nginx + securityContext: + seccompProfile: + type: RuntimeDefault + containers: + - name: container01 + image: nginx + securityContext: + seccompProfile: + type: RuntimeDefault +--- +apiVersion: batch/v1 +kind: CronJob +metadata: + name: goodcronjob08 +spec: + schedule: "*/1 * * * *" + jobTemplate: + spec: + template: + spec: + restartPolicy: OnFailure + initContainers: + - name: initcontainer01 + image: nginx + securityContext: + seccompProfile: + type: Localhost + localhostProfile: operator/default/profile1.json + containers: + - name: container01 + image: nginx + securityContext: + seccompProfile: + type: RuntimeDefault +--- +apiVersion: batch/v1 +kind: CronJob +metadata: + name: goodcronjob09 +spec: + schedule: "*/1 * * * *" + jobTemplate: + spec: + template: + spec: + restartPolicy: OnFailure + initContainers: + - name: initcontainer01 + image: nginx + - name: initcontainer02 + image: nginx + securityContext: + seccompProfile: + type: RuntimeDefault + containers: + - name: container01 + image: nginx + securityContext: + seccompProfile: + type: RuntimeDefault +--- +apiVersion: batch/v1 +kind: CronJob +metadata: + name: goodcronjob10 +spec: + schedule: "*/1 * * * *" + jobTemplate: + spec: + template: + spec: + restartPolicy: OnFailure + initContainers: + - name: initcontainer01 + image: nginx + securityContext: + seccompProfile: + type: Localhost + localhostProfile: operator/default/profile1.json + - name: initcontainer02 + image: nginx + securityContext: + seccompProfile: + type: RuntimeDefault + containers: + - name: container01 + image: nginx + securityContext: + seccompProfile: + type: RuntimeDefault diff --git a/pod-security/restricted/restrict-seccomp-strict/e2e/policy-assert.yaml b/pod-security/restricted/restrict-seccomp-strict/e2e/policy-assert.yaml new file mode 100644 index 00000000..1043b619 --- /dev/null +++ b/pod-security/restricted/restrict-seccomp-strict/e2e/policy-assert.yaml @@ -0,0 +1,11 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: restrict-seccomp-strict +spec: + validationFailureAction: Audit +status: + conditions: + - reason: Succeeded + status: "True" + type: Ready diff --git a/pod-security/restricted/restrict-volume-types/e2e/bad-resource.yaml b/pod-security/restricted/restrict-volume-types/e2e/bad-resource.yaml new file mode 100644 index 00000000..9e689129 --- /dev/null +++ b/pod-security/restricted/restrict-volume-types/e2e/bad-resource.yaml @@ -0,0 +1,1320 @@ +###### Pods - Bad +--- +apiVersion: v1 +kind: Pod +metadata: + name: badpod01 +spec: + containers: + - name: container01 + image: nginx + volumeMounts: + - name: udev + mountPath: /data + volumes: + - name: udev + gcePersistentDisk: + pdName: gke-pv + fsType: ext4 +--- +apiVersion: v1 +kind: Pod +metadata: + name: badpod02 +spec: + containers: + - name: container01 + image: nginx + volumeMounts: + - name: udev + mountPath: /data + volumes: + - name: udev + awsElasticBlockStore: + volumeID: vol-f37a03aa + fsType: ext4 +--- +apiVersion: v1 +kind: Pod +metadata: + name: badpod03 +spec: + containers: + - name: container01 + image: nginx + volumeMounts: + - name: udev + mountPath: /data + volumes: + - name: udev + gitRepo: + repository: https://github.com/kyverno/kyverno +--- +apiVersion: v1 +kind: Pod +metadata: + name: badpod04 +spec: + containers: + - name: container01 + image: nginx + volumeMounts: + - name: udev + mountPath: /data + volumes: + - name: udev + nfs: + path: /data + server: 10.105.68.50 +--- +apiVersion: v1 +kind: Pod +metadata: + name: badpod05 +spec: + containers: + - name: container01 + image: nginx + volumeMounts: + - name: udev + mountPath: /data + volumes: + - name: udev + iscsi: + lun: 0 + iqn: iqn.1998-01.com.vmware:w1-hs3-n2503.eng.vmware.com:452738760:67 + targetPortal: 10.105.68.50:3260 +--- +apiVersion: v1 +kind: Pod +metadata: + name: badpod06 +spec: + containers: + - name: container01 + image: nginx + volumeMounts: + - name: udev + mountPath: /data + volumes: + - name: udev + glusterfs: + endpoints: test + path: /data +--- +apiVersion: v1 +kind: Pod +metadata: + name: badpod07 +spec: + containers: + - name: container01 + image: nginx + volumeMounts: + - name: udev + mountPath: /data + volumes: + - name: udev + rbd: + image: foo + monitors: + - foo +--- +apiVersion: v1 +kind: Pod +metadata: + name: badpod08 +spec: + containers: + - name: container01 + image: nginx + volumeMounts: + - name: udev + mountPath: /data + volumes: + - name: udev + flexVolume: + driver: foo +--- +apiVersion: v1 +kind: Pod +metadata: + name: badpod09 +spec: + containers: + - name: container01 + image: nginx + volumeMounts: + - name: udev + mountPath: /data + volumes: + - name: udev + cinder: + volumeID: my-vol +--- +apiVersion: v1 +kind: Pod +metadata: + name: badpod10 +spec: + containers: + - name: container01 + image: nginx + volumeMounts: + - name: udev + mountPath: /data + volumes: + - name: udev + cephfs: + monitors: + - foo +--- +apiVersion: v1 +kind: Pod +metadata: + name: badpod11 +spec: + containers: + - name: container01 + image: nginx + volumeMounts: + - name: udev + mountPath: /data + volumes: + - name: udev + flocker: + datasetName: fooset +--- +apiVersion: v1 +kind: Pod +metadata: + name: badpod12 +spec: + containers: + - name: container01 + image: nginx + volumeMounts: + - name: udev + mountPath: /data + volumes: + - name: udev + fc: + wwids: + - fooid.corp +--- +apiVersion: v1 +kind: Pod +metadata: + name: badpod13 +spec: + containers: + - name: container01 + image: nginx + volumeMounts: + - name: udev + mountPath: /data + volumes: + - name: udev + azureFile: + secretName: foosecret + shareName: fooshare +--- +apiVersion: v1 +kind: Pod +metadata: + name: badpod14 +spec: + containers: + - name: container01 + image: nginx + volumeMounts: + - name: udev + mountPath: /data + volumes: + - name: udev + vsphereVolume: + volumePath: /foo/disk.vmdk +--- +apiVersion: v1 +kind: Pod +metadata: + name: badpod15 +spec: + containers: + - name: container01 + image: nginx + volumeMounts: + - name: udev + mountPath: /data + volumes: + - name: udev + quobyte: + registry: 10.80.90.100:1111 + volume: foovol +--- +apiVersion: v1 +kind: Pod +metadata: + name: badpod16 +spec: + containers: + - name: container01 + image: nginx + volumeMounts: + - name: udev + mountPath: /data + volumes: + - name: udev + azureDisk: + kind: Managed + diskName: foodisk + diskURI: /subscriptions/123456/resourceGroups/MC_myAKSCluster_myAKSCluster_eastus/providers/Microsoft.Compute/disks/myAKSDisk +--- +apiVersion: v1 +kind: Pod +metadata: + name: badpod17 +spec: + containers: + - name: container01 + image: nginx + volumeMounts: + - name: udev + mountPath: /data + volumes: + - name: udev + portworxVolume: + volumeID: myportvol +--- +apiVersion: v1 +kind: Pod +metadata: + name: badpod18 +spec: + containers: + - name: container01 + image: nginx + volumeMounts: + - name: udev + mountPath: /data + volumes: + - name: udev + scaleIO: + gateway: https://localhost:443/api + system: scaleio + volumeName: vol-0 + secretRef: + name: sio-secret + fsType: xfs +--- +apiVersion: v1 +kind: Pod +metadata: + name: badpod19 +spec: + containers: + - name: container01 + image: nginx + volumeMounts: + - name: udev + mountPath: /data + volumes: + - name: udev + storageos: + volumeName: foovol +--- +apiVersion: v1 +kind: Pod +metadata: + name: badpod20 +spec: + containers: + - name: container01 + image: nginx + volumeMounts: + - name: udev + mountPath: /data + volumes: + - name: udev + photonPersistentDisk: + pdID: fooid.corp +--- +###### Deployments - Bad +apiVersion: apps/v1 +kind: Deployment +metadata: + name: baddeployment01 +spec: + replicas: 1 + selector: + matchLabels: + app: app + template: + metadata: + labels: + app: app + spec: + containers: + - name: container01 + image: nginx + volumeMounts: + - name: udev + mountPath: /data + volumes: + - name: udev + gcePersistentDisk: + pdName: gke-pv + fsType: ext4 +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: baddeployment02 +spec: + replicas: 1 + selector: + matchLabels: + app: app + template: + metadata: + labels: + app: app + spec: + containers: + - name: container01 + image: nginx + volumeMounts: + - name: udev + mountPath: /data + volumes: + - name: udev + awsElasticBlockStore: + volumeID: vol-f37a03aa + fsType: ext4 +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: baddeployment03 +spec: + replicas: 1 + selector: + matchLabels: + app: app + template: + metadata: + labels: + app: app + spec: + containers: + - name: container01 + image: nginx + volumeMounts: + - name: udev + mountPath: /data + volumes: + - name: udev + gitRepo: + repository: https://github.com/kyverno/kyverno +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: baddeployment04 +spec: + replicas: 1 + selector: + matchLabels: + app: app + template: + metadata: + labels: + app: app + spec: + containers: + - name: container01 + image: nginx + volumeMounts: + - name: udev + mountPath: /data + volumes: + - name: udev + nfs: + path: /data + server: 10.105.68.50 +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: baddeployment05 +spec: + replicas: 1 + selector: + matchLabels: + app: app + template: + metadata: + labels: + app: app + spec: + containers: + - name: container01 + image: nginx + volumeMounts: + - name: udev + mountPath: /data + volumes: + - name: udev + iscsi: + lun: 0 + iqn: iqn.1998-01.com.vmware:w1-hs3-n2503.eng.vmware.com:452738760:67 + targetPortal: 10.105.68.50:3260 +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: baddeployment06 +spec: + replicas: 1 + selector: + matchLabels: + app: app + template: + metadata: + labels: + app: app + spec: + containers: + - name: container01 + image: nginx + volumeMounts: + - name: udev + mountPath: /data + volumes: + - name: udev + glusterfs: + endpoints: test + path: /data +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: baddeployment07 +spec: + replicas: 1 + selector: + matchLabels: + app: app + template: + metadata: + labels: + app: app + spec: + containers: + - name: container01 + image: nginx + volumeMounts: + - name: udev + mountPath: /data + volumes: + - name: udev + rbd: + image: foo + monitors: + - foo +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: baddeployment08 +spec: + replicas: 1 + selector: + matchLabels: + app: app + template: + metadata: + labels: + app: app + spec: + containers: + - name: container01 + image: nginx + volumeMounts: + - name: udev + mountPath: /data + volumes: + - name: udev + flexVolume: + driver: foo +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: baddeployment09 +spec: + replicas: 1 + selector: + matchLabels: + app: app + template: + metadata: + labels: + app: app + spec: + containers: + - name: container01 + image: nginx + volumeMounts: + - name: udev + mountPath: /data + volumes: + - name: udev + cinder: + volumeID: my-vol +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: baddeployment10 +spec: + replicas: 1 + selector: + matchLabels: + app: app + template: + metadata: + labels: + app: app + spec: + containers: + - name: container01 + image: nginx + volumeMounts: + - name: udev + mountPath: /data + volumes: + - name: udev + cephfs: + monitors: + - foo +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: baddeployment11 +spec: + replicas: 1 + selector: + matchLabels: + app: app + template: + metadata: + labels: + app: app + spec: + containers: + - name: container01 + image: nginx + volumeMounts: + - name: udev + mountPath: /data + volumes: + - name: udev + flocker: + datasetName: fooset +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: baddeployment12 +spec: + replicas: 1 + selector: + matchLabels: + app: app + template: + metadata: + labels: + app: app + spec: + containers: + - name: container01 + image: nginx + volumeMounts: + - name: udev + mountPath: /data + volumes: + - name: udev + fc: + wwids: + - fooid.corp +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: baddeployment13 +spec: + replicas: 1 + selector: + matchLabels: + app: app + template: + metadata: + labels: + app: app + spec: + containers: + - name: container01 + image: nginx + volumeMounts: + - name: udev + mountPath: /data + volumes: + - name: udev + azureFile: + secretName: foosecret + shareName: fooshare +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: baddeployment14 +spec: + replicas: 1 + selector: + matchLabels: + app: app + template: + metadata: + labels: + app: app + spec: + containers: + - name: container01 + image: nginx + volumeMounts: + - name: udev + mountPath: /data + volumes: + - name: udev + vsphereVolume: + volumePath: /foo/disk.vmdk +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: baddeployment15 +spec: + replicas: 1 + selector: + matchLabels: + app: app + template: + metadata: + labels: + app: app + spec: + containers: + - name: container01 + image: nginx + volumeMounts: + - name: udev + mountPath: /data + volumes: + - name: udev + quobyte: + registry: 10.80.90.100:1111 + volume: foovol +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: baddeployment16 +spec: + replicas: 1 + selector: + matchLabels: + app: app + template: + metadata: + labels: + app: app + spec: + containers: + - name: container01 + image: nginx + volumeMounts: + - name: udev + mountPath: /data + volumes: + - name: udev + azureDisk: + kind: Managed + diskName: foodisk + diskURI: /subscriptions/123456/resourceGroups/MC_myAKSCluster_myAKSCluster_eastus/providers/Microsoft.Compute/disks/myAKSDisk +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: baddeployment17 +spec: + replicas: 1 + selector: + matchLabels: + app: app + template: + metadata: + labels: + app: app + spec: + containers: + - name: container01 + image: nginx + volumeMounts: + - name: udev + mountPath: /data + volumes: + - name: udev + portworxVolume: + volumeID: myportvol +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: baddeployment18 +spec: + replicas: 1 + selector: + matchLabels: + app: app + template: + metadata: + labels: + app: app + spec: + containers: + - name: container01 + image: nginx + volumeMounts: + - name: udev + mountPath: /data + volumes: + - name: udev + scaleIO: + gateway: https://localhost:443/api + system: scaleio + volumeName: vol-0 + secretRef: + name: sio-secret + fsType: xfs +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: baddeployment19 +spec: + replicas: 1 + selector: + matchLabels: + app: app + template: + metadata: + labels: + app: app + spec: + containers: + - name: container01 + image: nginx + volumeMounts: + - name: udev + mountPath: /data + volumes: + - name: udev + storageos: + volumeName: foovol +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: baddeployment20 +spec: + replicas: 1 + selector: + matchLabels: + app: app + template: + metadata: + labels: + app: app + spec: + containers: + - name: container01 + image: nginx + volumeMounts: + - name: udev + mountPath: /data + volumes: + - name: udev + photonPersistentDisk: + pdID: fooid.corp +--- +###### CronJobs - Bad +apiVersion: batch/v1 +kind: CronJob +metadata: + name: badcronjob01 +spec: + schedule: "*/1 * * * *" + jobTemplate: + spec: + template: + spec: + restartPolicy: OnFailure + containers: + - name: container01 + image: nginx + volumeMounts: + - name: udev + mountPath: /data + volumes: + - name: udev + gcePersistentDisk: + pdName: gke-pv + fsType: ext4 +--- +apiVersion: batch/v1 +kind: CronJob +metadata: + name: badcronjob02 +spec: + schedule: "*/1 * * * *" + jobTemplate: + spec: + template: + spec: + restartPolicy: OnFailure + containers: + - name: container01 + image: nginx + volumeMounts: + - name: udev + mountPath: /data + volumes: + - name: udev + awsElasticBlockStore: + volumeID: vol-f37a03aa + fsType: ext4 +--- +apiVersion: batch/v1 +kind: CronJob +metadata: + name: badcronjob03 +spec: + schedule: "*/1 * * * *" + jobTemplate: + spec: + template: + spec: + restartPolicy: OnFailure + containers: + - name: container01 + image: nginx + volumeMounts: + - name: udev + mountPath: /data + volumes: + - name: udev + gitRepo: + repository: https://github.com/kyverno/kyverno +--- +apiVersion: batch/v1 +kind: CronJob +metadata: + name: badcronjob04 +spec: + schedule: "*/1 * * * *" + jobTemplate: + spec: + template: + spec: + restartPolicy: OnFailure + containers: + - name: container01 + image: nginx + volumeMounts: + - name: udev + mountPath: /data + volumes: + - name: udev + nfs: + path: /data + server: 10.105.68.50 +--- +apiVersion: batch/v1 +kind: CronJob +metadata: + name: badcronjob05 +spec: + schedule: "*/1 * * * *" + jobTemplate: + spec: + template: + spec: + restartPolicy: OnFailure + containers: + - name: container01 + image: nginx + volumeMounts: + - name: udev + mountPath: /data + volumes: + - name: udev + iscsi: + lun: 0 + iqn: iqn.1998-01.com.vmware:w1-hs3-n2503.eng.vmware.com:452738760:67 + targetPortal: 10.105.68.50:3260 +--- +apiVersion: batch/v1 +kind: CronJob +metadata: + name: badcronjob06 +spec: + schedule: "*/1 * * * *" + jobTemplate: + spec: + template: + spec: + restartPolicy: OnFailure + containers: + - name: container01 + image: nginx + volumeMounts: + - name: udev + mountPath: /data + volumes: + - name: udev + glusterfs: + endpoints: test + path: /data +--- +apiVersion: batch/v1 +kind: CronJob +metadata: + name: badcronjob07 +spec: + schedule: "*/1 * * * *" + jobTemplate: + spec: + template: + spec: + restartPolicy: OnFailure + containers: + - name: container01 + image: nginx + volumeMounts: + - name: udev + mountPath: /data + volumes: + - name: udev + rbd: + image: foo + monitors: + - foo +--- +apiVersion: batch/v1 +kind: CronJob +metadata: + name: badcronjob08 +spec: + schedule: "*/1 * * * *" + jobTemplate: + spec: + template: + spec: + restartPolicy: OnFailure + containers: + - name: container01 + image: nginx + volumeMounts: + - name: udev + mountPath: /data + volumes: + - name: udev + flexVolume: + driver: foo +--- +apiVersion: batch/v1 +kind: CronJob +metadata: + name: badcronjob09 +spec: + schedule: "*/1 * * * *" + jobTemplate: + spec: + template: + spec: + restartPolicy: OnFailure + containers: + - name: container01 + image: nginx + volumeMounts: + - name: udev + mountPath: /data + volumes: + - name: udev + cinder: + volumeID: my-vol +--- +apiVersion: batch/v1 +kind: CronJob +metadata: + name: badcronjob10 +spec: + schedule: "*/1 * * * *" + jobTemplate: + spec: + template: + spec: + restartPolicy: OnFailure + containers: + - name: container01 + image: nginx + volumeMounts: + - name: udev + mountPath: /data + volumes: + - name: udev + cephfs: + monitors: + - foo +--- +apiVersion: batch/v1 +kind: CronJob +metadata: + name: badcronjob11 +spec: + schedule: "*/1 * * * *" + jobTemplate: + spec: + template: + spec: + restartPolicy: OnFailure + containers: + - name: container01 + image: nginx + volumeMounts: + - name: udev + mountPath: /data + volumes: + - name: udev + flocker: + datasetName: fooset +--- +apiVersion: batch/v1 +kind: CronJob +metadata: + name: badcronjob12 +spec: + schedule: "*/1 * * * *" + jobTemplate: + spec: + template: + spec: + restartPolicy: OnFailure + containers: + - name: container01 + image: nginx + volumeMounts: + - name: udev + mountPath: /data + volumes: + - name: udev + fc: + wwids: + - fooid.corp +--- +apiVersion: batch/v1 +kind: CronJob +metadata: + name: badcronjob13 +spec: + schedule: "*/1 * * * *" + jobTemplate: + spec: + template: + spec: + restartPolicy: OnFailure + containers: + - name: container01 + image: nginx + volumeMounts: + - name: udev + mountPath: /data + volumes: + - name: udev + azureFile: + secretName: foosecret + shareName: fooshare +--- +apiVersion: batch/v1 +kind: CronJob +metadata: + name: badcronjob14 +spec: + schedule: "*/1 * * * *" + jobTemplate: + spec: + template: + spec: + restartPolicy: OnFailure + containers: + - name: container01 + image: nginx + volumeMounts: + - name: udev + mountPath: /data + volumes: + - name: udev + vsphereVolume: + volumePath: /foo/disk.vmdk +--- +apiVersion: batch/v1 +kind: CronJob +metadata: + name: badcronjob15 +spec: + schedule: "*/1 * * * *" + jobTemplate: + spec: + template: + spec: + restartPolicy: OnFailure + containers: + - name: container01 + image: nginx + volumeMounts: + - name: udev + mountPath: /data + volumes: + - name: udev + quobyte: + registry: 10.80.90.100:1111 + volume: foovol +--- +apiVersion: batch/v1 +kind: CronJob +metadata: + name: badcronjob16 +spec: + schedule: "*/1 * * * *" + jobTemplate: + spec: + template: + spec: + restartPolicy: OnFailure + containers: + - name: container01 + image: nginx + volumeMounts: + - name: udev + mountPath: /data + volumes: + - name: udev + azureDisk: + kind: Managed + diskName: foodisk + diskURI: /subscriptions/123456/resourceGroups/MC_myAKSCluster_myAKSCluster_eastus/providers/Microsoft.Compute/disks/myAKSDisk +--- +apiVersion: batch/v1 +kind: CronJob +metadata: + name: badcronjob17 +spec: + schedule: "*/1 * * * *" + jobTemplate: + spec: + template: + spec: + restartPolicy: OnFailure + containers: + - name: container01 + image: nginx + volumeMounts: + - name: udev + mountPath: /data + volumes: + - name: udev + portworxVolume: + volumeID: myportvol +--- +apiVersion: batch/v1 +kind: CronJob +metadata: + name: badcronjob18 +spec: + schedule: "*/1 * * * *" + jobTemplate: + spec: + template: + spec: + restartPolicy: OnFailure + containers: + - name: container01 + image: nginx + volumeMounts: + - name: udev + mountPath: /data + volumes: + - name: udev + scaleIO: + gateway: https://localhost:443/api + system: scaleio + volumeName: vol-0 + secretRef: + name: sio-secret + fsType: xfs +--- +apiVersion: batch/v1 +kind: CronJob +metadata: + name: badcronjob19 +spec: + schedule: "*/1 * * * *" + jobTemplate: + spec: + template: + spec: + restartPolicy: OnFailure + containers: + - name: container01 + image: nginx + volumeMounts: + - name: udev + mountPath: /data + volumes: + - name: udev + storageos: + volumeName: foovol +--- +apiVersion: batch/v1 +kind: CronJob +metadata: + name: badcronjob20 +spec: + schedule: "*/1 * * * *" + jobTemplate: + spec: + template: + spec: + restartPolicy: OnFailure + containers: + - name: container01 + image: nginx + volumeMounts: + - name: udev + mountPath: /data + volumes: + - name: udev + photonPersistentDisk: + pdID: fooid.corp diff --git a/pod-security/restricted/restrict-volume-types/e2e/chainsaw-test.yaml b/pod-security/restricted/restrict-volume-types/e2e/chainsaw-test.yaml new file mode 100644 index 00000000..1f915e85 --- /dev/null +++ b/pod-security/restricted/restrict-volume-types/e2e/chainsaw-test.yaml @@ -0,0 +1,24 @@ +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: Test +metadata: + name: restrict-volume-types-policy +spec: + steps: + - name: test-restrict-volume-types + try: + - apply: + file: ../restrict-volume-types.yaml + - assert: + file: policy-assert.yaml + - script: + content: | + sed 's/validationFailureAction: Audit/validationFailureAction: Enforce/' ../restrict-volume-types.yaml | kubectl apply -f - + - assert: + file: enforce-policy-assert.yaml + - apply: + file: good-resource.yaml + - apply: + expect: + - check: + ($error != null): true + file: bad-resource.yaml diff --git a/pod-security/restricted/restrict-volume-types/e2e/enforce-policy-assert.yaml b/pod-security/restricted/restrict-volume-types/e2e/enforce-policy-assert.yaml new file mode 100644 index 00000000..ddf8c589 --- /dev/null +++ b/pod-security/restricted/restrict-volume-types/e2e/enforce-policy-assert.yaml @@ -0,0 +1,11 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: restrict-volume-types +spec: + validationFailureAction: Enforce +status: + conditions: + - reason: Succeeded + status: "True" + type: Ready \ No newline at end of file diff --git a/pod-security/restricted/restrict-volume-types/e2e/good-resource.yaml b/pod-security/restricted/restrict-volume-types/e2e/good-resource.yaml new file mode 100644 index 00000000..40f2dfd6 --- /dev/null +++ b/pod-security/restricted/restrict-volume-types/e2e/good-resource.yaml @@ -0,0 +1,608 @@ +###### Pods - Good +apiVersion: v1 +kind: Pod +metadata: + name: goodpod01 +spec: + containers: + - name: container01 + image: nginx +--- +apiVersion: v1 +kind: Pod +metadata: + name: goodpod02 +spec: + containers: + - name: container01 + image: nginx + volumeMounts: + - name: udev + mountPath: /data + volumes: + - name: udev + emptyDir: {} +--- +apiVersion: v1 +kind: Pod +metadata: + name: goodpod03 +spec: + containers: + - name: container01 + image: nginx + volumeMounts: + - name: mysettings + mountPath: /settings + volumes: + - name: mysettings + configMap: + name: settings +--- +apiVersion: v1 +kind: Pod +metadata: + name: goodpod04 +spec: + containers: + - name: container01 + image: nginx + volumeMounts: + - name: warehouse + mountPath: /warehouse + volumes: + - name: warehouse + csi: + driver: disk.csi.azure.com + readOnly: true + fsType: xfs +--- +apiVersion: v1 +kind: Pod +metadata: + name: goodpod05 + labels: + foo: bar +spec: + containers: + - name: container01 + image: nginx + volumeMounts: + - name: labels + mountPath: /labels + volumes: + - name: labels + downwardAPI: + items: + - path: labels + fieldRef: + fieldPath: metadata.labels +--- +apiVersion: v1 +kind: Pod +metadata: + name: goodpod06 +spec: + containers: + - name: container01 + image: nginx + volumeMounts: + - name: ephem + mountPath: /ephem + volumes: + - name: ephem + ephemeral: + volumeClaimTemplate: + metadata: + labels: + type: my-frontend-volume + spec: + accessModes: [ "ReadWriteOnce" ] + storageClassName: "scratch-storage-class" + resources: + requests: + storage: 1Gi +--- +apiVersion: v1 +kind: Pod +metadata: + name: goodpod07 +spec: + containers: + - name: container01 + image: nginx + volumeMounts: + - name: foo + mountPath: /foo + volumes: + - name: foo + persistentVolumeClaim: + claimName: fooclaim + readOnly: true +--- +apiVersion: v1 +kind: Pod +metadata: + name: goodpod08 +spec: + containers: + - name: container01 + image: nginx + volumeMounts: + - mountPath: /var/run/secrets/tokens + name: vault-token + volumes: + - name: vault-token + projected: + sources: + - serviceAccountToken: + path: vault-token + expirationSeconds: 7200 + audience: vault +--- +apiVersion: v1 +kind: Pod +metadata: + name: goodpod09 +spec: + containers: + - name: container01 + image: nginx + volumeMounts: + - mountPath: /mysecret + name: mysecret + volumes: + - name: mysecret + secret: + secretName: mysecret +--- +###### Deployments - Good +apiVersion: apps/v1 +kind: Deployment +metadata: + name: gooddeployment01 +spec: + replicas: 1 + selector: + matchLabels: + app: app + template: + metadata: + labels: + app: app + spec: + containers: + - name: container01 + image: nginx +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: gooddeployment02 +spec: + replicas: 1 + selector: + matchLabels: + app: app + template: + metadata: + labels: + app: app + spec: + containers: + - name: container01 + image: nginx + volumeMounts: + - name: udev + mountPath: /data + volumes: + - name: udev + emptyDir: {} +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: gooddeployment03 +spec: + replicas: 1 + selector: + matchLabels: + app: app + template: + metadata: + labels: + app: app + spec: + containers: + - name: container01 + image: nginx + volumeMounts: + - name: mysettings + mountPath: /settings + volumes: + - name: mysettings + configMap: + name: settings +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: gooddeployment04 +spec: + replicas: 1 + selector: + matchLabels: + app: app + template: + metadata: + labels: + app: app + spec: + containers: + - name: container01 + image: nginx + volumeMounts: + - name: warehouse + mountPath: /warehouse + volumes: + - name: warehouse + csi: + driver: disk.csi.azure.com + readOnly: true + fsType: xfs +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: gooddeployment05 +spec: + replicas: 1 + selector: + matchLabels: + app: app + template: + metadata: + labels: + app: app + foo: bar + spec: + containers: + - name: container01 + image: nginx + volumeMounts: + - name: labels + mountPath: /labels + volumes: + - name: labels + downwardAPI: + items: + - path: labels + fieldRef: + fieldPath: metadata.labels +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: gooddeployment06 +spec: + replicas: 1 + selector: + matchLabels: + app: app + template: + metadata: + labels: + app: app + spec: + containers: + - name: container01 + image: nginx + volumeMounts: + - name: ephem + mountPath: /ephem + volumes: + - name: ephem + ephemeral: + volumeClaimTemplate: + metadata: + labels: + type: my-frontend-volume + spec: + accessModes: [ "ReadWriteOnce" ] + storageClassName: "scratch-storage-class" + resources: + requests: + storage: 1Gi +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: gooddeployment07 +spec: + replicas: 1 + selector: + matchLabels: + app: app + template: + metadata: + labels: + app: app + spec: + containers: + - name: container01 + image: nginx + volumeMounts: + - name: foo + mountPath: /foo + volumes: + - name: foo + persistentVolumeClaim: + claimName: fooclaim + readOnly: true +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: gooddeployment08 +spec: + replicas: 1 + selector: + matchLabels: + app: app + template: + metadata: + labels: + app: app + spec: + containers: + - name: container01 + image: nginx + volumeMounts: + - mountPath: /var/run/secrets/tokens + name: vault-token + volumes: + - name: vault-token + projected: + sources: + - serviceAccountToken: + path: vault-token + expirationSeconds: 7200 + audience: vault +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: gooddeployment09 +spec: + replicas: 1 + selector: + matchLabels: + app: app + template: + metadata: + labels: + app: app + spec: + containers: + - name: container01 + image: nginx + volumeMounts: + - mountPath: /mysecret + name: mysecret + volumes: + - name: mysecret + secret: + secretName: mysecret +--- +###### CronJobs - Good +apiVersion: batch/v1 +kind: CronJob +metadata: + name: goodcronjob01 +spec: + schedule: "*/1 * * * *" + jobTemplate: + spec: + template: + spec: + restartPolicy: OnFailure + containers: + - name: container01 + image: nginx +--- +apiVersion: batch/v1 +kind: CronJob +metadata: + name: goodcronjob02 +spec: + schedule: "*/1 * * * *" + jobTemplate: + spec: + template: + spec: + restartPolicy: OnFailure + containers: + - name: container01 + image: nginx + volumeMounts: + - name: udev + mountPath: /data + volumes: + - name: udev + emptyDir: {} +--- +apiVersion: batch/v1 +kind: CronJob +metadata: + name: goodcronjob03 +spec: + schedule: "*/1 * * * *" + jobTemplate: + spec: + template: + spec: + restartPolicy: OnFailure + containers: + - name: container01 + image: nginx + volumeMounts: + - name: mysettings + mountPath: /settings + volumes: + - name: mysettings + configMap: + name: settings +--- +apiVersion: batch/v1 +kind: CronJob +metadata: + name: goodcronjob04 +spec: + schedule: "*/1 * * * *" + jobTemplate: + spec: + template: + spec: + restartPolicy: OnFailure + containers: + - name: container01 + image: nginx + volumeMounts: + - name: warehouse + mountPath: /warehouse + volumes: + - name: warehouse + csi: + driver: disk.csi.azure.com + readOnly: true + fsType: xfs +--- +apiVersion: batch/v1 +kind: CronJob +metadata: + name: goodcronjob05 +spec: + schedule: "*/1 * * * *" + jobTemplate: + spec: + template: + metadata: + labels: + foo: bar + spec: + restartPolicy: OnFailure + containers: + - name: container01 + image: nginx + volumeMounts: + - name: labels + mountPath: /labels + volumes: + - name: labels + downwardAPI: + items: + - path: labels + fieldRef: + fieldPath: metadata.labels +--- +apiVersion: batch/v1 +kind: CronJob +metadata: + name: goodcronjob06 +spec: + schedule: "*/1 * * * *" + jobTemplate: + spec: + template: + spec: + restartPolicy: OnFailure + containers: + - name: container01 + image: nginx + volumeMounts: + - name: ephem + mountPath: /ephem + volumes: + - name: ephem + ephemeral: + volumeClaimTemplate: + metadata: + labels: + type: my-frontend-volume + spec: + accessModes: [ "ReadWriteOnce" ] + storageClassName: "scratch-storage-class" + resources: + requests: + storage: 1Gi +--- +apiVersion: batch/v1 +kind: CronJob +metadata: + name: goodcronjob07 +spec: + schedule: "*/1 * * * *" + jobTemplate: + spec: + template: + spec: + restartPolicy: OnFailure + containers: + - name: container01 + image: nginx + volumeMounts: + - name: foo + mountPath: /foo + volumes: + - name: foo + persistentVolumeClaim: + claimName: fooclaim + readOnly: true +--- +apiVersion: batch/v1 +kind: CronJob +metadata: + name: goodcronjob08 +spec: + schedule: "*/1 * * * *" + jobTemplate: + spec: + template: + spec: + restartPolicy: OnFailure + containers: + - name: container01 + image: nginx + volumeMounts: + - mountPath: /var/run/secrets/tokens + name: vault-token + volumes: + - name: vault-token + projected: + sources: + - serviceAccountToken: + path: vault-token + expirationSeconds: 7200 + audience: vault +--- +apiVersion: batch/v1 +kind: CronJob +metadata: + name: goodcronjob09 +spec: + schedule: "*/1 * * * *" + jobTemplate: + spec: + template: + spec: + restartPolicy: OnFailure + containers: + - name: container01 + image: nginx + volumeMounts: + - mountPath: /mysecret + name: mysecret + volumes: + - name: mysecret + secret: + secretName: mysecret diff --git a/pod-security/restricted/restrict-volume-types/e2e/policy-assert.yaml b/pod-security/restricted/restrict-volume-types/e2e/policy-assert.yaml new file mode 100644 index 00000000..fb8a34cc --- /dev/null +++ b/pod-security/restricted/restrict-volume-types/e2e/policy-assert.yaml @@ -0,0 +1,11 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: restrict-volume-types +spec: + validationFailureAction: Audit +status: + conditions: + - reason: Succeeded + status: "True" + type: Ready diff --git a/rbac-best-practices/disable-automount-sa-token/e2e/chainsaw-test.yaml b/rbac-best-practices/disable-automount-sa-token/e2e/chainsaw-test.yaml new file mode 100644 index 00000000..e3b1d563 --- /dev/null +++ b/rbac-best-practices/disable-automount-sa-token/e2e/chainsaw-test.yaml @@ -0,0 +1,21 @@ +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: Test +metadata: + creationTimestamp: null + name: disable-automount-sa-token-policy +spec: + steps: + - name: step-01 + try: + - apply: + file: ../disable-automount-sa-token.yaml + - assert: + file: policy-assert.yaml + - apply: + file: ns.yaml + - apply: + file: sa.yaml + - assert: + file: sa-patched.yaml + - error: + file: sa-not-patched.yaml diff --git a/best-practices/disallow_default_namespace/e2e/04-ns.yaml b/rbac-best-practices/disable-automount-sa-token/e2e/ns.yaml similarity index 56% rename from best-practices/disallow_default_namespace/e2e/04-ns.yaml rename to rbac-best-practices/disable-automount-sa-token/e2e/ns.yaml index 8f5b8c3b..d727f164 100644 --- a/best-practices/disallow_default_namespace/e2e/04-ns.yaml +++ b/rbac-best-practices/disable-automount-sa-token/e2e/ns.yaml @@ -1,4 +1,4 @@ apiVersion: v1 kind: Namespace metadata: - name: not-default-ns + name: disable-satokenmount-ns \ No newline at end of file diff --git a/rbac-best-practices/disable-automount-sa-token/e2e/policy-assert.yaml b/rbac-best-practices/disable-automount-sa-token/e2e/policy-assert.yaml new file mode 100644 index 00000000..a6c81de4 --- /dev/null +++ b/rbac-best-practices/disable-automount-sa-token/e2e/policy-assert.yaml @@ -0,0 +1,6 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: disable-automount-sa-token +status: + ready: true diff --git a/rbac-best-practices/disable-automount-sa-token/e2e/sa-not-patched.yaml b/rbac-best-practices/disable-automount-sa-token/e2e/sa-not-patched.yaml new file mode 100644 index 00000000..b7308161 --- /dev/null +++ b/rbac-best-practices/disable-automount-sa-token/e2e/sa-not-patched.yaml @@ -0,0 +1,6 @@ +apiVersion: v1 +kind: ServiceAccount +automountServiceAccountToken: false +metadata: + name: foo-sa + namespace: disable-satokenmount-ns \ No newline at end of file diff --git a/rbac-best-practices/disable-automount-sa-token/e2e/sa-patched.yaml b/rbac-best-practices/disable-automount-sa-token/e2e/sa-patched.yaml new file mode 100644 index 00000000..b5a0417b --- /dev/null +++ b/rbac-best-practices/disable-automount-sa-token/e2e/sa-patched.yaml @@ -0,0 +1,6 @@ +apiVersion: v1 +kind: ServiceAccount +automountServiceAccountToken: false +metadata: + name: default + namespace: disable-satokenmount-ns \ No newline at end of file diff --git a/rbac-best-practices/disable-automount-sa-token/e2e/sa.yaml b/rbac-best-practices/disable-automount-sa-token/e2e/sa.yaml new file mode 100644 index 00000000..0acdf02a --- /dev/null +++ b/rbac-best-practices/disable-automount-sa-token/e2e/sa.yaml @@ -0,0 +1,5 @@ +apiVersion: v1 +kind: ServiceAccount +metadata: + name: foo-sa + namespace: disable-satokenmount-ns \ No newline at end of file diff --git a/rbac-best-practices/restrict-automount-sa-token/e2e/bad-resource.yaml b/rbac-best-practices/restrict-automount-sa-token/e2e/bad-resource.yaml new file mode 100644 index 00000000..d276eb08 --- /dev/null +++ b/rbac-best-practices/restrict-automount-sa-token/e2e/bad-resource.yaml @@ -0,0 +1,68 @@ +apiVersion: v1 +kind: Pod +metadata: + name: badpod01 +spec: + automountServiceAccountToken: true + containers: + - name: busybox + image: busybox:1.35 +--- +apiVersion: v1 +kind: Pod +metadata: + labels: + app.kubernetes.io/part-of: blah-reporter + name: badpod02 +spec: + containers: + - name: busybox + image: busybox:1.35 +--- +apiVersion: v1 +kind: Pod +metadata: + name: badpod03 +spec: + containers: + - name: busybox + image: busybox:1.35 +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + labels: + app: busybox + name: baddeployment01 +spec: + replicas: 1 + selector: + matchLabels: + app: busybox + strategy: {} + template: + metadata: + labels: + app: busybox + spec: + automountServiceAccountToken: true + containers: + - name: busybox + image: busybox:1.35 +--- +apiVersion: batch/v1 +kind: CronJob +metadata: + labels: + app.kubernetes.io/part-of: blah-reporter + name: badcronjob01 +spec: + schedule: "* * * * *" + jobTemplate: + spec: + template: + spec: + containers: + - name: busybox + image: busybox:1.35 + restartPolicy: OnFailure diff --git a/rbac-best-practices/restrict-automount-sa-token/e2e/chainsaw-test.yaml b/rbac-best-practices/restrict-automount-sa-token/e2e/chainsaw-test.yaml new file mode 100644 index 00000000..57baedcb --- /dev/null +++ b/rbac-best-practices/restrict-automount-sa-token/e2e/chainsaw-test.yaml @@ -0,0 +1,24 @@ +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: Test +metadata: + name: restrict-automount-sa-token-policy +spec: + steps: + - name: test-restrict-automount-sa-token + try: + - apply: + file: ../restrict-automount-sa-token.yaml + - assert: + file: policy-assert.yaml + - script: + content: | + sed 's/validationFailureAction: Audit/validationFailureAction: Enforce/' ../restrict-automount-sa-token.yaml | kubectl apply -f - + - assert: + file: enforce-policy-assert.yaml + - apply: + file: good-resource.yaml + - apply: + expect: + - check: + ($error != null): true + file: bad-resource.yaml diff --git a/best-practices/disallow_default_namespace/e2e/03-enforce-policy-assert.yaml b/rbac-best-practices/restrict-automount-sa-token/e2e/enforce-policy-assert.yaml similarity index 75% rename from best-practices/disallow_default_namespace/e2e/03-enforce-policy-assert.yaml rename to rbac-best-practices/restrict-automount-sa-token/e2e/enforce-policy-assert.yaml index ee710e5e..4435a497 100644 --- a/best-practices/disallow_default_namespace/e2e/03-enforce-policy-assert.yaml +++ b/rbac-best-practices/restrict-automount-sa-token/e2e/enforce-policy-assert.yaml @@ -1,11 +1,11 @@ apiVersion: kyverno.io/v1 kind: ClusterPolicy metadata: - name: disallow-default-namespace + name: restrict-automount-sa-token spec: validationFailureAction: Enforce status: conditions: - reason: Succeeded status: "True" - type: Ready + type: Ready \ No newline at end of file diff --git a/rbac-best-practices/restrict-automount-sa-token/e2e/good-resource.yaml b/rbac-best-practices/restrict-automount-sa-token/e2e/good-resource.yaml new file mode 100644 index 00000000..68c3b63b --- /dev/null +++ b/rbac-best-practices/restrict-automount-sa-token/e2e/good-resource.yaml @@ -0,0 +1,69 @@ +apiVersion: v1 +kind: Pod +metadata: + name: goodpod01 +spec: + automountServiceAccountToken: false + containers: + - name: busybox + image: busybox:1.35 +--- +apiVersion: v1 +kind: Pod +metadata: + name: goodpod02 +spec: + automountServiceAccountToken: false + containers: + - name: busybox + image: busybox:1.35 +--- +apiVersion: v1 +kind: Pod +metadata: + labels: + app.kubernetes.io/part-of: policy-reporter + name: goodpod03 +spec: + containers: + - name: busybox + image: busybox:1.35 +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + labels: + app: busybox + name: gooddeployment01 +spec: + replicas: 1 + selector: + matchLabels: + app: busybox + strategy: {} + template: + metadata: + labels: + app: busybox + spec: + automountServiceAccountToken: false + containers: + - name: busybox + image: busybox:1.35 +--- +apiVersion: batch/v1 +kind: CronJob +metadata: + labels: + app.kubernetes.io/part-of: policy-reporter + name: goodcronjob01 +spec: + schedule: "* * * * *" + jobTemplate: + spec: + template: + spec: + containers: + - name: busybox + image: busybox:1.35 + restartPolicy: OnFailure diff --git a/best-practices/disallow-empty-ingress-host/e2e/policy-assert.yaml b/rbac-best-practices/restrict-automount-sa-token/e2e/policy-assert.yaml similarity index 82% rename from best-practices/disallow-empty-ingress-host/e2e/policy-assert.yaml rename to rbac-best-practices/restrict-automount-sa-token/e2e/policy-assert.yaml index e1157eca..4ee4014e 100644 --- a/best-practices/disallow-empty-ingress-host/e2e/policy-assert.yaml +++ b/rbac-best-practices/restrict-automount-sa-token/e2e/policy-assert.yaml @@ -1,7 +1,7 @@ apiVersion: kyverno.io/v1 kind: ClusterPolicy metadata: - name: disallow-empty-ingress-host + name: restrict-automount-sa-token spec: validationFailureAction: Audit status: diff --git a/rbac-best-practices/restrict-binding-system-groups/e2e/bad-resource.yaml b/rbac-best-practices/restrict-binding-system-groups/e2e/bad-resource.yaml new file mode 100644 index 00000000..4e7d48ee --- /dev/null +++ b/rbac-best-practices/restrict-binding-system-groups/e2e/bad-resource.yaml @@ -0,0 +1,67 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: badcrb01 +subjects: +- kind: Group + name: bar + apiGroup: rbac.authorization.k8s.io +roleRef: + kind: ClusterRole + name: "system:masters" + apiGroup: rbac.authorization.k8s.io +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: badcrb02 +subjects: +- kind: Group + namespace: foo + name: bar + apiGroup: rbac.authorization.k8s.io +roleRef: + kind: ClusterRole + name: "system:masters" + apiGroup: rbac.authorization.k8s.io +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: badrb01 +subjects: +- kind: Group + name: bar + apiGroup: rbac.authorization.k8s.io +roleRef: + kind: Role + name: "system:masters" + apiGroup: rbac.authorization.k8s.io +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: badrb02 +subjects: +- kind: Group + name: bar + namespace: foo + apiGroup: rbac.authorization.k8s.io +roleRef: + kind: Role + name: "system:masters" + apiGroup: rbac.authorization.k8s.io +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: badrb03 +subjects: +- kind: Group + name: bar + namespace: foo + apiGroup: rbac.authorization.k8s.io +roleRef: + kind: Role + name: "system:masters" + apiGroup: rbac.authorization.k8s.io diff --git a/rbac-best-practices/restrict-binding-system-groups/e2e/chainsaw-test.yaml b/rbac-best-practices/restrict-binding-system-groups/e2e/chainsaw-test.yaml new file mode 100644 index 00000000..a48d4aa0 --- /dev/null +++ b/rbac-best-practices/restrict-binding-system-groups/e2e/chainsaw-test.yaml @@ -0,0 +1,24 @@ +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: Test +metadata: + name: restrict-binding-system-groups-policy +spec: + steps: + - name: test-restrict-binding-system-groups + try: + - apply: + file: ../restrict-binding-system-groups.yaml + - assert: + file: policy-assert.yaml + - script: + content: | + sed 's/validationFailureAction: Audit/validationFailureAction: Enforce/' ../restrict-binding-system-groups.yaml | kubectl apply -f - + - assert: + file: enforce-policy-assert.yaml + - apply: + file: good-resource.yaml + - apply: + expect: + - check: + ($error != null): true + file: bad-resource.yaml diff --git a/rbac-best-practices/restrict-binding-system-groups/e2e/enforce-policy-assert.yaml b/rbac-best-practices/restrict-binding-system-groups/e2e/enforce-policy-assert.yaml new file mode 100644 index 00000000..d5768e9d --- /dev/null +++ b/rbac-best-practices/restrict-binding-system-groups/e2e/enforce-policy-assert.yaml @@ -0,0 +1,11 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: restrict-binding-system-groups +spec: + validationFailureAction: Enforce +status: + conditions: + - reason: Succeeded + status: "True" + type: Ready \ No newline at end of file diff --git a/rbac-best-practices/restrict-binding-system-groups/e2e/good-resource.yaml b/rbac-best-practices/restrict-binding-system-groups/e2e/good-resource.yaml new file mode 100644 index 00000000..7e958419 --- /dev/null +++ b/rbac-best-practices/restrict-binding-system-groups/e2e/good-resource.yaml @@ -0,0 +1,77 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: goodcrb01 +subjects: +- kind: Group + name: secret-reader + apiGroup: rbac.authorization.k8s.io +roleRef: + kind: ClusterRole + name: manager + apiGroup: rbac.authorization.k8s.io +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: goodcrb02 +subjects: +- kind: ServiceAccount + namespace: foo + name: foo-reader +roleRef: + kind: ClusterRole + name: manager + apiGroup: rbac.authorization.k8s.io +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: goodcrb03 +subjects: +- kind: ServiceAccount + namespace: foo + name: "system.foo" +roleRef: + kind: ClusterRole + name: manager + apiGroup: rbac.authorization.k8s.io +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: goodrb01 +subjects: +- kind: User + name: foo + apiGroup: rbac.authorization.k8s.io +roleRef: + kind: Role + name: foo-bar + apiGroup: rbac.authorization.k8s.io +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: goodrb02 +subjects: +- kind: ServiceAccount + name: foo + namespace: foo +roleRef: + kind: Role + name: foo-bar + apiGroup: rbac.authorization.k8s.io +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: goodrb03 +subjects: +- kind: Group + name: "system:foo" + apiGroup: rbac.authorization.k8s.io +roleRef: + kind: Role + name: foo + apiGroup: rbac.authorization.k8s.io diff --git a/rbac-best-practices/restrict-binding-system-groups/e2e/policy-assert.yaml b/rbac-best-practices/restrict-binding-system-groups/e2e/policy-assert.yaml new file mode 100644 index 00000000..35d048f1 --- /dev/null +++ b/rbac-best-practices/restrict-binding-system-groups/e2e/policy-assert.yaml @@ -0,0 +1,11 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: restrict-binding-system-groups +spec: + validationFailureAction: Audit +status: + conditions: + - reason: Succeeded + status: "True" + type: Ready diff --git a/rbac-best-practices/restrict-clusterrole-nodesproxy/e2e/bad-resource.yaml b/rbac-best-practices/restrict-clusterrole-nodesproxy/e2e/bad-resource.yaml new file mode 100644 index 00000000..65063c9c --- /dev/null +++ b/rbac-best-practices/restrict-clusterrole-nodesproxy/e2e/bad-resource.yaml @@ -0,0 +1,20 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: badcr01 +rules: +- apiGroups: [""] + resources: ["nodes/proxy", "namespaces"] + verbs: ["get", "watch", "list"] +- apiGroups: ["apps"] + resources: ["deployments"] + verbs: ["get", "watch", "list"] +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: badcr02 +rules: +- apiGroups: [""] + resources: ["pods", "nodes/proxy"] + verbs: ["get", "watch", "list"] diff --git a/rbac-best-practices/restrict-clusterrole-nodesproxy/e2e/chainsaw-test.yaml b/rbac-best-practices/restrict-clusterrole-nodesproxy/e2e/chainsaw-test.yaml new file mode 100644 index 00000000..5d36c2a9 --- /dev/null +++ b/rbac-best-practices/restrict-clusterrole-nodesproxy/e2e/chainsaw-test.yaml @@ -0,0 +1,24 @@ +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: Test +metadata: + name: restrict-clusterrole-nodesproxy-policy +spec: + steps: + - name: test-restrict-clusterrole-nodesproxy + try: + - apply: + file: ../restrict-clusterrole-nodesproxy.yaml + - assert: + file: policy-assert.yaml + - script: + content: | + sed 's/validationFailureAction: Audit/validationFailureAction: Enforce/' ../restrict-clusterrole-nodesproxy.yaml | kubectl apply -f - + - assert: + file: enforce-policy-assert.yaml + - apply: + file: good-resource.yaml + - apply: + expect: + - check: + ($error != null): true + file: bad-resource.yaml diff --git a/best-practices/disallow_cri_sock_mount/e2e/03-enforce-policy-assert.yaml b/rbac-best-practices/restrict-clusterrole-nodesproxy/e2e/enforce-policy-assert.yaml similarity index 74% rename from best-practices/disallow_cri_sock_mount/e2e/03-enforce-policy-assert.yaml rename to rbac-best-practices/restrict-clusterrole-nodesproxy/e2e/enforce-policy-assert.yaml index 5554e871..0b7e800e 100644 --- a/best-practices/disallow_cri_sock_mount/e2e/03-enforce-policy-assert.yaml +++ b/rbac-best-practices/restrict-clusterrole-nodesproxy/e2e/enforce-policy-assert.yaml @@ -1,11 +1,11 @@ apiVersion: kyverno.io/v1 kind: ClusterPolicy metadata: - name: disallow-container-sock-mounts + name: restrict-clusterrole-nodesproxy spec: validationFailureAction: Enforce status: conditions: - reason: Succeeded status: "True" - type: Ready + type: Ready \ No newline at end of file diff --git a/rbac-best-practices/restrict-clusterrole-nodesproxy/e2e/good-resource.yaml b/rbac-best-practices/restrict-clusterrole-nodesproxy/e2e/good-resource.yaml new file mode 100644 index 00000000..de7c8c2b --- /dev/null +++ b/rbac-best-practices/restrict-clusterrole-nodesproxy/e2e/good-resource.yaml @@ -0,0 +1,20 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: goodcr01 +rules: +- apiGroups: [""] + resources: ["pods", "namespaces"] + verbs: ["get", "watch", "list"] +- apiGroups: ["apps"] + resources: ["deployments"] + verbs: ["get", "watch", "list"] +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: goodcr02 +rules: +- apiGroups: [""] + resources: ["nodes"] + verbs: ["get", "watch", "list"] diff --git a/rbac-best-practices/restrict-clusterrole-nodesproxy/e2e/policy-assert.yaml b/rbac-best-practices/restrict-clusterrole-nodesproxy/e2e/policy-assert.yaml new file mode 100644 index 00000000..7220658d --- /dev/null +++ b/rbac-best-practices/restrict-clusterrole-nodesproxy/e2e/policy-assert.yaml @@ -0,0 +1,11 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: restrict-clusterrole-nodesproxy +spec: + validationFailureAction: Audit +status: + conditions: + - reason: Succeeded + status: "True" + type: Ready diff --git a/rbac-best-practices/restrict-escalation-verbs-roles/e2e/bad-resource.yaml b/rbac-best-practices/restrict-escalation-verbs-roles/e2e/bad-resource.yaml new file mode 100644 index 00000000..dd998b91 --- /dev/null +++ b/rbac-best-practices/restrict-escalation-verbs-roles/e2e/bad-resource.yaml @@ -0,0 +1,89 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: badcr01 +rules: +- apiGroups: [""] + resources: ["pods", "namespaces"] + verbs: ["get", "watch", "list"] +- apiGroups: ["rbac.authorization.k8s.io", "apps"] + resources: ["deployments", "roles"] + verbs: ["bind", "watch", "list"] +- apiGroups: ["rbac.authorization.k8s.io"] + resources: ["clusterroles"] + verbs: ["update", "watch", "list"] +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: badcr02 +rules: +- apiGroups: [""] + resources: ["pods", "namespaces"] + verbs: ["get", "watch", "list"] +- apiGroups: ["rbac.authorization.k8s.io", "apps"] + resources: ["deployments", "roles"] + verbs: ["get", "watch", "list"] +- apiGroups: ["batches", "rbac.authorization.k8s.io"] + resources: ["clusterroles"] + verbs: ["update", "escalate", "list"] +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: badcr03 +rules: +- apiGroups: ["rbac.authorization.k8s.io", "apps"] + resources: ["deployments", "roles"] + verbs: ["get", "watch", "bind"] +- apiGroups: [""] + resources: ["pods", "namespaces"] + verbs: ["get", "watch", "list"] +- apiGroups: ["batches", "rbac.authorization.k8s.io"] + resources: ["clusterroles"] + verbs: ["get", "watch", "list"] +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: badrole01 +rules: +- apiGroups: [""] + resources: ["pods", "namespaces"] + verbs: ["get", "watch", "list"] +- apiGroups: ["rbac.authorization.k8s.io", "apps"] + resources: ["deployments", "roles"] + verbs: ["bind", "watch", "list"] +- apiGroups: ["rbac.authorization.k8s.io"] + resources: ["clusterroles"] + verbs: ["update", "watch", "list"] +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: badrole02 +rules: +- apiGroups: [""] + resources: ["pods", "namespaces"] + verbs: ["get", "watch", "list"] +- apiGroups: ["rbac.authorization.k8s.io", "apps"] + resources: ["deployments", "roles"] + verbs: ["get", "watch", "list"] +- apiGroups: ["batches", "rbac.authorization.k8s.io"] + resources: ["clusterroles"] + verbs: ["update", "escalate", "list"] +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: badrole03 +rules: +- apiGroups: ["rbac.authorization.k8s.io", "apps"] + resources: ["deployments", "roles"] + verbs: ["get", "watch", "bind"] +- apiGroups: [""] + resources: ["pods", "namespaces"] + verbs: ["get", "watch", "list"] +- apiGroups: ["batches"] + resources: ["jobs"] + verbs: ["get", "watch", "list"] diff --git a/rbac-best-practices/restrict-escalation-verbs-roles/e2e/chainsaw-test.yaml b/rbac-best-practices/restrict-escalation-verbs-roles/e2e/chainsaw-test.yaml new file mode 100644 index 00000000..b2cecb30 --- /dev/null +++ b/rbac-best-practices/restrict-escalation-verbs-roles/e2e/chainsaw-test.yaml @@ -0,0 +1,24 @@ +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: Test +metadata: + name: restrict-escalation-verbs-roles-policy +spec: + steps: + - name: test-restrict-escalation-verbs-roles + try: + - apply: + file: ../restrict-escalation-verbs-roles.yaml + - assert: + file: policy-assert.yaml + - script: + content: | + sed 's/validationFailureAction: Audit/validationFailureAction: Enforce/' ../restrict-escalation-verbs-roles.yaml | kubectl apply -f - + - assert: + file: enforce-policy-assert.yaml + - apply: + file: good-resource.yaml + - apply: + expect: + - check: + ($error != null): true + file: bad-resource.yaml diff --git a/rbac-best-practices/restrict-escalation-verbs-roles/e2e/enforce-policy-assert.yaml b/rbac-best-practices/restrict-escalation-verbs-roles/e2e/enforce-policy-assert.yaml new file mode 100644 index 00000000..467bc1a6 --- /dev/null +++ b/rbac-best-practices/restrict-escalation-verbs-roles/e2e/enforce-policy-assert.yaml @@ -0,0 +1,11 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: restrict-escalation-verbs-roles +spec: + validationFailureAction: Enforce +status: + conditions: + - reason: Succeeded + status: "True" + type: Ready \ No newline at end of file diff --git a/rbac-best-practices/restrict-escalation-verbs-roles/e2e/good-resource.yaml b/rbac-best-practices/restrict-escalation-verbs-roles/e2e/good-resource.yaml new file mode 100644 index 00000000..a658b2a1 --- /dev/null +++ b/rbac-best-practices/restrict-escalation-verbs-roles/e2e/good-resource.yaml @@ -0,0 +1,47 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: goodcr01 +rules: +- apiGroups: [""] + resources: ["pods", "namespaces"] + verbs: ["get", "watch", "list"] +- apiGroups: ["rbac.authorization.k8s.io", "apps"] + resources: ["deployments", "roles"] + verbs: ["get", "watch", "list"] +- apiGroups: ["rbac.authorization.k8s.io"] + resources: ["clusterroles"] + verbs: ["update", "watch", "list"] +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: goodcr02 +rules: +- apiGroups: [""] + resources: ["pods", "namespaces"] + verbs: ["get", "watch", "list"] +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: goodrole01 +rules: +- apiGroups: [""] + resources: ["pods", "namespaces"] + verbs: ["get", "watch", "list"] +- apiGroups: ["rbac.authorization.k8s.io", "apps"] + resources: ["deployments", "roles"] + verbs: ["get", "watch", "list"] +- apiGroups: ["rbac.authorization.k8s.io"] + resources: ["clusterroles"] + verbs: ["update", "watch", "list"] +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: goodrole02 +rules: +- apiGroups: [""] + resources: ["pods", "namespaces"] + verbs: ["get", "watch", "list"] diff --git a/rbac-best-practices/restrict-escalation-verbs-roles/e2e/policy-assert.yaml b/rbac-best-practices/restrict-escalation-verbs-roles/e2e/policy-assert.yaml new file mode 100644 index 00000000..56f39264 --- /dev/null +++ b/rbac-best-practices/restrict-escalation-verbs-roles/e2e/policy-assert.yaml @@ -0,0 +1,11 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: restrict-escalation-verbs-roles +spec: + validationFailureAction: Audit +status: + conditions: + - reason: Succeeded + status: "True" + type: Ready diff --git a/rbac-best-practices/restrict-wildcard-resources/e2e/bad-resource.yaml b/rbac-best-practices/restrict-wildcard-resources/e2e/bad-resource.yaml new file mode 100644 index 00000000..be346c23 --- /dev/null +++ b/rbac-best-practices/restrict-wildcard-resources/e2e/bad-resource.yaml @@ -0,0 +1,65 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: badcr01 +rules: +- apiGroups: [""] + resources: ["namespaces", "*", "pods"] + verbs: ["get", "create"] +- apiGroups: ["apps"] + resources: ["deployments"] + verbs: ["get", "watch", "list"] +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: badcr02 +rules: +- apiGroups: ["apps"] + resources: ["*"] + verbs: ["get", "watch", "list"] +- apiGroups: [""] + resources: ["namespaces", "secrets", "pods"] + verbs: ["create", "watch", "list"] +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: badcr03 +rules: +- apiGroups: [""] + resources: ["*"] + verbs: ["update", "list", "create"] +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: badcr01 +rules: +- apiGroups: [""] + resources: ["namespaces", "*", "pods"] + verbs: ["get", "create"] +- apiGroups: ["apps"] + resources: ["deployments"] + verbs: ["get", "watch", "list"] +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: badcr02 +rules: +- apiGroups: ["apps"] + resources: ["*"] + verbs: ["get", "watch", "list"] +- apiGroups: [""] + resources: ["namespaces", "secrets", "pods"] + verbs: ["create", "watch", "list"] +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: badcr03 +rules: +- apiGroups: [""] + resources: ["*"] + verbs: ["update", "list", "create"] diff --git a/rbac-best-practices/restrict-wildcard-resources/e2e/chainsaw-test.yaml b/rbac-best-practices/restrict-wildcard-resources/e2e/chainsaw-test.yaml new file mode 100644 index 00000000..188244b5 --- /dev/null +++ b/rbac-best-practices/restrict-wildcard-resources/e2e/chainsaw-test.yaml @@ -0,0 +1,24 @@ +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: Test +metadata: + name: restrict-wildcard-resources-policy +spec: + steps: + - name: test-restrict-wildcard-resources + try: + - apply: + file: ../restrict-wildcard-resources.yaml + - assert: + file: policy-assert.yaml + - script: + content: | + sed 's/validationFailureAction: Audit/validationFailureAction: Enforce/' ../restrict-wildcard-resources.yaml | kubectl apply -f - + - assert: + file: enforce-policy-assert.yaml + - apply: + file: good-resource.yaml + - apply: + expect: + - check: + ($error != null): true + file: bad-resource.yaml diff --git a/rbac-best-practices/restrict-wildcard-resources/e2e/enforce-policy-assert.yaml b/rbac-best-practices/restrict-wildcard-resources/e2e/enforce-policy-assert.yaml new file mode 100644 index 00000000..6054e24e --- /dev/null +++ b/rbac-best-practices/restrict-wildcard-resources/e2e/enforce-policy-assert.yaml @@ -0,0 +1,11 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: restrict-wildcard-resources +spec: + validationFailureAction: Enforce +status: + conditions: + - reason: Succeeded + status: "True" + type: Ready \ No newline at end of file diff --git a/rbac-best-practices/restrict-wildcard-resources/e2e/good-resource.yaml b/rbac-best-practices/restrict-wildcard-resources/e2e/good-resource.yaml new file mode 100644 index 00000000..f79c7f36 --- /dev/null +++ b/rbac-best-practices/restrict-wildcard-resources/e2e/good-resource.yaml @@ -0,0 +1,95 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: goodcr01 +rules: +- apiGroups: [""] + resources: ["pods", "namespaces"] + verbs: ["get", "watch", "list"] +- apiGroups: ["apps"] + resources: ["deployments"] + verbs: ["get", "watch", "list"] +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: goodcr02 +rules: +- apiGroups: ["apps"] + resources: ["deployments"] + verbs: ["get", "create", "update"] +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: goodcr03 +rules: +- apiGroups: ["batch"] + resources: ["secrets"] + verbs: ["create", "update", "patch"] +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: goodcr04 +rules: +- apiGroups: [""] + resources: ["secrets"] + verbs: ["*"] +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: goodcr05 +rules: +- apiGroups: ["*"] + resources: ["secrets"] + verbs: ["create", "update", "patch"] +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: goodcr01 +rules: +- apiGroups: [""] + resources: ["pods", "namespaces"] + verbs: ["get", "watch", "list"] +- apiGroups: ["apps"] + resources: ["deployments"] + verbs: ["get", "watch", "list"] +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: goodcr02 +rules: +- apiGroups: ["apps"] + resources: ["deployments"] + verbs: ["get", "create", "update"] +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: goodcr03 +rules: +- apiGroups: ["batch"] + resources: ["secrets"] + verbs: ["create", "update", "patch"] +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: goodcr04 +rules: +- apiGroups: [""] + resources: ["secrets"] + verbs: ["*"] +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: goodcr05 +rules: +- apiGroups: ["*"] + resources: ["secrets"] + verbs: ["create", "update", "patch"] diff --git a/rbac-best-practices/restrict-wildcard-resources/e2e/policy-assert.yaml b/rbac-best-practices/restrict-wildcard-resources/e2e/policy-assert.yaml new file mode 100644 index 00000000..28a0f36f --- /dev/null +++ b/rbac-best-practices/restrict-wildcard-resources/e2e/policy-assert.yaml @@ -0,0 +1,11 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: restrict-wildcard-resources +spec: + validationFailureAction: Audit +status: + conditions: + - reason: Succeeded + status: "True" + type: Ready